What’s changing
We’re pleased to announce the ability to label a Google Group as “Locked” is now generally available. When a group is “locked”, it heavily restricts the ability to change group attributes, such as the group name & email address) and memberships.
This is helpful when admins need to sync their groups from an external source and want to prevent things from getting out of sync or want to restrict changes to sensitive groups in general.
.png)
The Group Details page in the Admin console shows a “Locked” label on the group, with the message “You can’t update this group - it might be managed by an external identity system.”
Who’s impacted
Admins
Why it’s important
If you use third-party tools, like Entra ID, to manage group synchronization, you may encounter inconsistencies when modifications are made to these groups, like adding or removing members, for example. To help address this, we’re introducing the option to “lock” a group, which will prevent modifications within Google Workspace and help maintain synchronization with the external source.
When a group is locked, only certain admins* can modify:
- The group name, description, email, and alias(es)
- Group labels
- Memberships (adding or removing members) and member restrictions
- Membership roles
- Delete the group
- Set up a new membership expiry
When a group is locked, access and content moderation settings are not affected, this includes:
- Who can post
- Who can view members
- Who can contact members
- Membership removals due to an existing membership expiry
- Access or content moderation settings
*Super Admins, Group Admins, and Group Editors with a condition that includes “Locked Groups”
Additional details
By default, the changes listed above will be restricted from end users, including group owners and managers of a locked group. If you want to also restrict some admins from making these changes in the Admin Console or APIs, you can assign them the Group Editor role with a condition that excludes locked groups.
The ability to lock or unlock a group using the “Locked” label is available to Super Admins, Group Admins, or a custom role with the “Manage Locked Label” privilege. Lock a group using the “Locked” group label in the Admin Console, or the Cloud Identity Groups API.
Getting started
- Admins: Visit the Help Center to learn more about locking groups and assigning the Group Editor role with conditions. Use our developer documentation to learn more about managing locked groups with the Cloud Identity Groups API.
- End users: There is no end user action required.
Rollout pace
- Rapid Release and Scheduled Release domains: Available now.
Availability
Available for Google Workspace:
- Enterprise Standard and Plus
- Enterprise Essentials Plus
- Education Standard and Plus
- Also available to Cloud Identity Premium customers