This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Problems completing set up of new google user due to enforcement of 2FA...

Posted on 02-18-2023 03:12 AM
reggie
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

My organization has the 2FA enforced. There is a new user that has 2FA turned off, and it is preventing them from completing their initial sign in. From my admin console, i cannot turn it on for them. Is there a workaround to get them set up?

Solved Solved
1 12 9,770
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hi @reggie ,

**How to resolve the issue now:

a) move the user to an ou where 2sv enforcement is disabled.

or

b) Generate a backup code for this user:

  1. In the Admin console, go to Menu > Directory>Users.
  2. Click the user you want in the list. 
    You see summary information about that user.Click Security.
  3. Click 2-step verification.
    verification is currently enforced for your organization.
  4. Click Get Backup Verification Codes.
  5. Copy one of the verification codes.
  6. Send the backup code to the user in an IM or text message.
    The user can sign in to their account using a password and the backup code.
  7. Now they can enroll to 2sv methods and start using

View solution in original post

Jump to Solution
12 REPLIES 12

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hi @reggie ,

**How to resolve the issue now:

a) move the user to an ou where 2sv enforcement is disabled.

or

b) Generate a backup code for this user:

  1. In the Admin console, go to Menu > Directory>Users.
  2. Click the user you want in the list. 
    You see summary information about that user.Click Security.
  3. Click 2-step verification.
    verification is currently enforced for your organization.
  4. Click Get Backup Verification Codes.
  5. Copy one of the verification codes.
  6. Send the backup code to the user in an IM or text message.
    The user can sign in to their account using a password and the backup code.
  7. Now they can enroll to 2sv methods and start using
Jump to Solution

Posted on --/--/---- --:-- AM
reggie
Bronze 1
Bronze 1
In response to ajojose33333344
Reply posted on --/--/---- --:-- AM

Thank You! that did the trick

Jump to Solution

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
In response to reggie
Reply posted on --/--/---- --:-- AM

Glad to hear that!!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dlandagriffin
Bronze 1
Bronze 1
In response to ajojose33333344
Reply posted on --/--/---- --:-- AM

Help 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

** How to prevent it from happening in the future:

  1. In the Admin console, go to Menu > Security>Authentication>2-step verification.
  2. To give new employees time to enroll before enforcement applies to their accounts, for the New user enrollment period, select a timeframe from 1 day to 6 months.2sv sc.png

During this period, users can sign in with just their passwords and they can complete the 2sv enrollment within the time that you specified.

 

Jump to Solution

Posted on --/--/---- --:-- AM
sdcruz
Bronze 1
Bronze 1
In response to ajojose33333344
Reply posted on --/--/---- --:-- AM

Hi there,

 

I was going through pretty much the same thing --- albeit for most of an organization's  users --- mainly coz the director abruptly decided to enforce 2FA. I tried to to explain that users might get locked out if it wasn't done gradually & that they'd have to be notified, but he was insistent....

Sure enough, soon after I enforced it, at least 2 colleagues got locked out. Fortunately, I'd enrolled my admin account in 2FA a long time back, so addressing the issue just meant disabling the 2FA enforcement again. 

The director then asked me to have Google Support confirm that the 2FA enrollment can only  be done by end-users, & not by admins.  So I created a support ticket, got support to confirm it, & now here I am... ๐Ÿ˜„

If you guys happen to find out of any means to 'apply' the enrollment onto users so that they needn't be notified / relocated into temporary groups, please let me know. Thanks.

 

Cheers.

Jump to Solution

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
In response to sdcruz
Reply posted on --/--/---- --:-- AM

@sdcruz  Hi there,

2 step verification is something that should be done from the user end because it's the way  the user defines "his" 2nd verification method and it's not the admin's piece of cake ๐Ÿ˜…

the admin can only set permission like whether they can enable it or not or whether it should be mandatorily enabled(enforcement.)

Here is the link that supports the statement

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DavidPooley
Bronze 1
Bronze 1
In response to ajojose33333344
Reply posted on --/--/---- --:-- AM

Hi, does anyone know if the new user enrollment period starts from the date a new account is created, or the date the user first signs into their account?

Thanks.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ajojose33333344
Silver 5
Silver 5
In response to DavidPooley
Reply posted on --/--/---- --:-- AM

@DavidPooley I guess it should be counting from the creation date,anyways i have put it into test will confirm with you in a day.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Afuerst1
Bronze 1
Bronze 1
In response to ajojose33333344
Reply posted on --/--/---- --:-- AM

Hello I was just checking in to see if you were able to come to a conclusion on when the enrollment period starts. Is it account creation or first sign-in, were you able to test? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
KAM
Gold 2
Gold 2
In response to Afuerst1
Reply posted on --/--/---- --:-- AM

@Afuerst1 it's from account creation not first login.  This KB might help as well if you are trying to minimize disruption: https://apps.google.com/supportwidget/articlehome?hl=en -KAM

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Afuerst1
Bronze 1
Bronze 1
In response to KAM
Reply posted on --/--/---- --:-- AM

Thanks for the info. The weird part is I have an account that was created well outside of the grace period (long time ago), but when it was moved into an OU that enforced 2sv for the first time the grace period went into effect. 

I am noticing accounts that stay in an OU don't have the grace period/enrollment trigger at all when the OU enforces 2sv.

I think it has something to do with the date the account was added to the OU it resides in? I would love to figure out a method to reset that grace period for accounts and setting up 2sv. We have accounts that stay in our system for long times, but need 2sv turned on / off for various processes.

Any info or tips are greatly appreciated!!  Thanks again

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all