Unmanaged Google accounts created with company email addresses pose security and management risks, as they remain outside the control of organizational administrators, but claiming your domain and converting these accounts to managed ones can mitigate these threats effectively.

‍

Potentially, you have no control over Google unmanaged accounts

Imagine your company’s email services are hosted on platforms like an on-premise Exchange server, Microsoft 365, or GoDaddy email.

If an employee (tom@acme.com) needs access to Google services, they might create a personal Google account using their company email. This account could be used for activities such as managing Google Analytics, getting SaaS access via OIDC, or accessing Google Drive documents.

Once the account is created, it’s linked to your company domain but remains entirely unmanaged by your organization. As an admin, you have no control over this account—meaning you cannot access its password, view activity logs, or manage it through your own email systems. Any password resets or changes made in your company’s email system will not affect this Google account

In other words, these accounts are created independently by users using one of your organization’s domains. Since these accounts are personally managed by the individual who created them, they are not under the control of Cloud Identity administrators, nor do they belong to domain-verified customers.

‍

Risks are underestimated but real

As a result, your organization has no oversight over the configuration, security, or lifecycle of these accounts. These unmanaged accounts are often called personal or consumer accounts because the user registered for Google consumer services with their company email address

This situation is common, but it’s not ideal for managing your users and securing their work data. A business-related unmanaged account that uses a corporate email address present 2 main risks to your organization:

• Account deactivation when an employee leaves the organization: You have no control over the life cycle of an unmanaged user account. If an employee departs from the company, they could continue using the unmanaged account to access corporate resources (like Google Services or Apps they logged into while employed) or to incur corporate expenses.
• Social Engineering Risk: even if you revoke access to all resources, an unmanaged account can still present a risk. Since the account uses a seemingly legitimate identity with your company’s domain, a former employee might persuade current employees or business partners to grant access to resources once more—such as a sensitive Drive file or a social network. This former employee might exploit the unmanaged account to engage in activities that violate your organization’s interests.

‍

The solution is simple and free

• Step 1: claim your domain name on Google. Once you become a Google Workspace administrator, you can:
  • Set policies for handling conflicting accounts during user provisioning (Click here for more info)
  • Invite unmanaged users to convert their accounts to managed ones within your domain,
• Step 2:  integrate your Google Workspace with Zygon to gain visibility into all apps and accounts that were previously unmanaged. Additionally, a new identity source will be created for each user found in Google Workspace. New Apps and accounts are automatically added to  Zygon.

‍

‍