2factor auth audit

72 views
Skip to first unread message

Rance Hall

unread,
Oct 15, 2021, 4:49:50 PM10/15/21
to GAM for G Suite

For insurance reasons, we have to verify 2factor setup, and its come up that despite a control setting that requires all users to have MFA setup some users just don’t have MFA configured.

 

So the audit doesn’t prove that all users have 2FA enabled that are supposed to.

 

Issues:

 

  1. Looks like the sync rules might not be suspending accounts that are not included in the sync correctly.
  2. Some system accounts probably can’t function correctly with 2FA enabled since there are tools/scripts using those accounts.

 

I’ll address these issues next week but would like to look at a gam script that discovers active users that don’t have 2FA enabled.

 

I’ve briefly looked at GAM documentation and the GAM scripts repo, but didn’t see anything I thought could be useful.

 

Thoughts?

 

-- 

 

Rance Hall

Application Specialist

ESU 10

308-698-1919

 


Some days are better, some days are worse.

Look for the blessing instead of the curse.

 

A picture containing text, sign, green

Description automatically generated

 

 

 

 

Ross Scroggs

unread,
Oct 15, 2021, 5:22:22 PM10/15/21
to google-ap...@googlegroups.com
Rance,

gam redirect csv User2Sv.csv print users fields primaryemail,name,isenrolledin2sv,isenforcedin2sv


Ross


--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/DM8PR06MB771702305747EFDAAA603EC690B99%40DM8PR06MB7717.namprd06.prod.outlook.com.


--

Jay Lee

unread,
Oct 15, 2021, 5:26:03 PM10/15/21
to google-ap...@googlegroups.com
The admin console setting to require 2sv is absolute. User's can't override it. If they don't have 2sv on then they can't login.

If you are seeing different I'd suggest opening a ticket with Google support.

Jay

--

Kim Nilsson

unread,
Oct 18, 2021, 5:32:28 AM10/18/21
to GAM for Google Workspace
Forcing all users to logout could be a way to get the rule to kick in.
However, do note that the forced 2FA setting, like most others, affect the OU where it is set, and child-OUs, but can be overriden with membership of a group, which is easy to miss. And like all other settings it needs to propagate, so depending on how many users you have, it can take a while.
/Kim
Reply all
Reply to author
Forward
0 new messages