2FA Enrollement management

26 views
Skip to first unread message

ANTONIO PULIDO ALARIO

unread,
Feb 10, 2026, 8:44:44 AM (11 days ago) Feb 10
to GAM for Google Workspace
Hello.

We have a group called <2fa-exceptions> in which we temporarily add users who have lost access to their second authentication method (due to loss or theft, for example) so that they are not required to use 2FA until they set up a new method. The problem is that the support team often forgets to remove the user from the group once 2FA is activated. What would be the command to remove users who have 2FA activated from that group? 
Thank you very much.

Ross Scroggs

unread,
Feb 10, 2026, 10:36:05 AM (11 days ago) Feb 10
to google-ap...@googlegroups.com

* See: https://github.com/GAM-team/GAM/wiki/CSV-Output-Filtering#column-row-filtering

# Get members of the group that are enrolled in 2Sv

gam config csv_output_row_filter "isEnrolledIn2Sv:boolean:true" redirect csv ./IsEnrolledIn2Sv.csv group <2fa-exceptions> print users fields isEnrolledIn2Sv,isEnforcedIn2SV


See: https://github.com/GAM-team/GAM/wiki/Groups-Membership#delete-members-from-a-group

See: https://github.com/GAM-team/GAM/wiki/Collections-of-Users#selected-users-in-a-csv-filegoogle-sheetgoogle-docgoogle-cloud-storage-object

# Delete them (remove preview to actually perform thr deletions)

gam update group <2fa-exceptions> delete preview csvfile IsEnrolledIn2Sv.csv:primaryEmail


Ross

----
Ross Scroggs



--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/a338ff27-700c-4d7b-beb4-bcb418550d1an%40googlegroups.com.

ANTONIO PULIDO ALARIO

unread,
Feb 11, 2026, 5:24:25 AM (10 days ago) Feb 11
to GAM for Google Workspace
Thank you very much! It works like a charm.
Since I don't need to keep track of users who are removed from the group, I will use a redirect from the first command to the second:

gam config csv_output_row_filter "isEnrolledIn2Sv:boolean:true"  group 2fa-exc...@mydomain.org print users fields isEnrolledIn2Sv | gam csv - gam update group 2fa-exc...@mydomain.org remove member ~primaryEmail

Thanks again, Ross.
Reply all
Reply to author
Forward
0 new messages