Solved: 2SV for external Google Accounts accessing Drive c...

MagpiesMike · 02-08-2022 04:38 PM

Hello everyone,

We collaborate with our clients using Shared Drives and would like to require that they've enabled 2SV. The goal is to ensure that their accounts have not been compromised when accessing our work documents.

QUESTION: Is there any Google Drive feature or 3rd party solution that would confirm external accounts have 2SV turned on prior to allowing access to the content?

Thanks in advance for any guidance.

Jan-Carlos

I was gonna say that there's no solution for this on context-aware access.

But i remembered that the advanced mode was implemented recently.

Found this documentation:

https://cloud.google.com/access-context-manager/docs/custom-access-level-spec

Tried this entry: request.auth.claims.crd_str.mfa == true

And applied to google sites.

I tried to access google sites without 2fa activated in my account and got blocked.

So i think that's a solution.

View solution in original post

Jan-Carlos

Hello!

There's no feature to do this on Admin Console. even inside your domain.

For example, a user in an OU without 2SV.

MagpiesMike

That is what I thought. That being said, I want to explore Context-Aware Access, part of the Enterprise subscriptions, that may have a solution using Groups.

You can still set access policies, such as 2-Step Verification, for all members of an organizational unit or group. Context-Aware Access provides additional granular and contextual controls for those users.

https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com...

Jan-Carlos

I was gonna say that there's no solution for this on context-aware access.

But i remembered that the advanced mode was implemented recently.

Found this documentation:

https://cloud.google.com/access-context-manager/docs/custom-access-level-spec

Tried this entry: request.auth.claims.crd_str.mfa == true

And applied to google sites.

I tried to access google sites without 2fa activated in my account and got blocked.

So i think that's a solution.

MagpiesMike

I think that is it. Thanks for testing!

christiannewman

Love this solution (and context-aware access, too, of course)!

MagpiesMike

UPDATE: I configured the Advanced Context Aware settings and confirmed they worked with a user inside my organization. It appropriately blocked access to ALL OF DRIVE for the user. I then created a Group and added an external user that does not have 2SV turned on and added them to a Shared Drive. It does not prevent the user from accessing the Shared Drive. I'm working with support to confirm the settings and that the Context Aware solution actually has the targeted capabilities.

NOTE: I'd prefer a way to add Context Aware access to specific Shared Drives rather than to Drive entirely. Maybe I haven't done enough digging to find this feature.

Jan-Carlos

Sorry, i didn't focused on the external users.

The context aware access only works on the users in your organization with the enterprise license.

It will not work on external because they don't have this feature.

christiannewman

it would indeed to great to enforce 2SV upon external users wanting to access your data

2SV for external Google Accounts accessing Drive content