Addressing Unmanaged Users and Ensuring a Secure Environment for GCP Resources

BE.

The scenario requires creating corporate user accounts for developers and operational staff who require direct access to GCP resources. To maintain user identity in a third-party identity management provider and leverage single sign-on, Google recommended practices for converting existing unmanaged users to managed accounts should be followed. A significant number of users are using their corporate domain email addresses for personal Google accounts, and it's necessary to convert these unmanaged accounts to managed accounts.

The following are the recommended actions to take:

A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity. Google Cloud Directory Sync (GCDS) is a tool that can be used to synchronize user accounts, groups, and other information from an on-premises identity management system to Cloud Identity. By using GCDS, you can ensure that user accounts are automatically created and maintained in Cloud Identity based on the information in your local identity management system. This action will help ensure that user identities are maintained in a third-party identity management provider.

B. Use the Google Admin console to view which managed users are using a personal account for their recovery email. The Google Admin console provides a way to view and manage user accounts and settings in GCP. By using the Admin console, it is possible to view which managed users are using a personal account for their recovery email. This action will help identify which users have unmanaged personal Google accounts and will need to be converted to managed accounts.

C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts. After identifying the users who have unmanaged personal Google accounts, the next step is to add these users to the managed Google account and force them to change the email addresses associated with their personal accounts. This action will ensure that the users' personal accounts are converted to managed accounts and that their corporate domain email addresses are used for the managed accounts.

D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts. The Transfer Tool for Unmanaged Users (TTUU) is a tool that can be used to identify users who have conflicting accounts and assist them in transferring their personal Google accounts to their managed accounts. This action will help ensure that users are not left with conflicting accounts and that their personal accounts are transferred to the managed accounts.

E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately. Sending an email to all employees asking them to delete their personal Google accounts is not the recommended action. It's not necessary to ask users to delete their personal accounts; instead, their personal accounts should be converted to managed accounts using the recommended actions mentioned above.

Therefore, the recommended actions to take are A and C: Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity and add users to your managed Google account and force users to change the email addresses associated with their personal accounts.