Workspace security guide
The Admin Console is the control room for business email. Treat it that way.
Before a Google Workspace setup is handed over, review admins, recovery, 2-step verification, groups, devices, app access, DNS authentication, and support ownership.
Google Workspace security is not only about user passwords. The Admin Console controls users, mail routing, groups, devices, app access, recovery paths, and billing. If admin ownership is weak, the business can lose control of email even when Gmail itself works.
This checklist is for small businesses and implementation handovers. It focuses on practical controls that should be checked before a Workspace setup is considered complete.
Security baseline
Quick answer
Use this checklist before handover:
Admin Console security checklist
- Super admins are limited and named.
- Backup admin exists and belongs to the business.
- Recovery email and phone are owner-controlled.
- 2-step verification is enabled or staged for enforcement.
- User list is current.
- Old vendor accounts are removed or reduced.
- Groups and external posting permissions are reviewed.
- Device access is checked.
- Third-party app access is reviewed.
- SPF, DKIM, and DMARC are documented.
- Support and escalation contacts are recorded.
Google documents administrator roles and notes that admin accounts have access to management controls in the Admin Console. Use current Google role guidance while assigning privileges: Make a user an admin.
Admin access
The number of super admins should be small. A super admin can perform broad administrative actions, so it should not be used as a convenience role for every manager, developer, vendor, or agency.
Admin access review
| Role area | Question to ask | Action |
|---|---|---|
| Super admin | Does this person need full control? | Keep only essential owners |
| Backup admin | Who can recover if owner is unavailable? | Add a business-controlled backup |
| Vendor access | Does the vendor still need admin rights? | Remove or reduce after setup |
| Billing owner | Who can manage payment and plan changes? | Document owner |
| User management | Who adds or removes staff? | Use limited access where possible |
Vendor access is a common handover weakness. If an implementation partner sets up Workspace, decide in advance what happens after go-live. Temporary admin access should either be removed or formally documented.
2-step verification and recovery
2-step verification protects accounts when passwords are guessed, phished, leaked, or reused. Admin accounts especially need protection because they can change users, reset passwords, access settings, and affect company mail.
Google's 2-step verification deployment documentation explains where admins can configure 2SV in the Admin Console and how settings can be applied. Review current guidance before enforcement: Deploy 2-Step Verification.
Secure the owner account first
The business owner or primary admin should have 2SV, recovery email, and recovery phone set correctly before handover.
Avoid locking users out
If enforcing 2SV for all users, stage the rollout, communicate clearly, and confirm access methods.
Keep backup admin access
A second trusted admin reduces risk if the primary admin loses device access.
Audit after staff changes
Remove admin access and group memberships immediately when staff or vendors leave.
Recovery should use business-controlled accounts. Do not set the recovery email to a developer's personal Gmail or an employee address that may be deactivated later.
Groups, devices, and apps
Groups can expose information if external posting, membership visibility, or sharing settings are too open. Devices can remain trusted after an employee leaves. Third-party apps can retain access longer than expected.
Review:
Access surface checklist
- Groups with external posting allowed.
- Groups with external members.
- Public-facing groups such as support and sales.
- Devices tied to departed users.
- OAuth apps with broad access.
- Calendar and Drive sharing settings.
- Suspended users and unused accounts.
- Mail forwarding and routing rules.
For collaborative groups, confirm whether the group should receive mail from outside the company and whether conversations need assignment or moderation. Google Groups settings should match the business workflow, not just the default value.
DNS authentication
Security handover should include email authentication:
DNS authentication handover
| Record | Why it matters | Owner |
|---|---|---|
| SPF | Defines legitimate sending systems | Workspace or DNS admin |
| DKIM | Signs outbound Google mail | Workspace admin |
| DMARC | Defines monitoring and failure policy | Domain owner or IT owner |
| MX | Routes inbound mail to Gmail | DNS admin |
If authentication is incomplete, document what is pending. Do not mark the setup complete simply because Gmail opens.
FAQ
How many super admins should a small business have?
Keep super admins limited to essential trusted owners and a documented backup. Use narrower roles where possible.
Should vendors remain admins after setup?
Usually no. Remove or reduce vendor access after handover unless there is an ongoing support agreement and the access is documented.
Can 2-step verification lock users out?
It can if enforced without planning. Stage the rollout, communicate steps, and confirm recovery paths before enforcement.
What should be checked quarterly?
Review admins, users, groups, external sharing, devices, app access, DNS authentication, recovery details, and vendor access.
Is this a full security audit?
No. It is a practical Workspace admin baseline for small businesses. Regulated or high-risk organizations may need deeper security review.
