Turn off 2-Step Verification for a user via API as a Google Apps super admin

Asked 4/8, 2015 at 11:55 Answered 22/4, 2023 at 17:41

authentication google-apps-script google-cloud-platform google-workspace google-admin-sdk

As part of our "off-boarding" process for employees leaving the company, as super admins we use the Google Apps Admin SDK Directory API to change the user's password so that they can no longer access their account. Then we log in to do a Google Takeout, reset passwords for their other accounts, etc.

However, we recently decided to enforce 2-Step Verification for all of our users. So now when we go to log in to their account, it sends a code to their phone.

Since 2-Step is enforced for their SubOrg, we can't even turn it off through the admin console. So all I can do now is to have the API move the user to a different SubOrg where the 2-Step enforcement setting is turned off, and then manually turn off 2-Step.

Is there any way to programmatically turn off 2-Step verification for an account?

I looked in the Google Apps Admin SDK Directory API Users:update documentation, but it doesn't seem to have anything to do with 2-Step.

The Reports API can find out the user's enrollment status, but it's read-only for reporting purposes.

Trustbuster answered 4/8, 2015 at 11:55 Comment(0)

What you are doing is the correct way to remove the 2-Step verification. As you mentioned if it is enforced under a Organization Unit, removing it would get against that rule and that's why you are not able to do it unless you move the user to another OU where this is not enforced.

I was not able to find some way to do this programmatically. However, you could Suspend the user. After that, the user won't be able to access to that account. The account will still be visible in your Admin Console and all the information in the different Google services will remain attached to that account until you finally delete the account.

While the user is suspended, as admin, you can use service account to impersonate that user. By doing so you can act as that user and edit permissions or transfer the ownership of the files contained in Drive to a different account so those files won't get lost.

I hope this helps.

Gramineous answered 5/8, 2015 at 18:20 Comment(1)

Ok, we already suspend the users anyway, but we have to access their account before they are suspended because we use the Google Takeout tool, which can't be accessed when the user is suspended. As for the Domain-Wide Delegation, that's cool but it can't be done with Apps Script (Javascript). – Trustbuster 17/8, 2015 at 17:24

The easiest way to do this is to create a Group for which 2FA is exempt (see here: https://support.google.com/a/answer/2370108). Then add the user to that group, then you can click "Disable 2FA" on the user page in the admin console. I'm assuming you can do the same through the API.

The only downside is that this means you'll have a group through which it is possible to exempt users from the 2FA enforcement option. So that's a risk you'll have to accept and a policy you have to carefully check.

Underwear answered 17/5, 2016 at 14:39 Comment(0)

I have not found it anywhere in the docs, only the REST request, almost gave up but then typed 'AdminDirectory.T' in the Google Script editor and it offered to autocomplete exactly the thing:

const userId = '[email protected]'
AdminDirectory.TwoStepVerification.turnOff(userId)

Downtoearth answered 22/4, 2023 at 17:41 Comment(0)

Recommended topics

Hot tags