What’s changing
Last year, we introduced multi-party approval (MPA), a security feature that requires an admin to approve certain sensitive actions initiated by another admin. Today, we’re enhancing this feature by giving admins more granular controls, specifically:
- Admins can now select which specific settings require multi-party approval.
- Admins can choose separate multi-party approval settings for actions that are supported via API and the admin console, such as single-sign on with a third-party identity provider.
- Super admins can now delegate specific admins to approve MPA actions using the new multi-party approval role for admins.
.png)
You can configure multi-party approval on a per action basis by going to Security > Authentication > Multi-party approved settings in the Admin console
.png)
Account > Admin Roles
Who’s impacted
Admins
Why it’s important
Multi-party approval adds an extra layer of security for sensitive actions taken in the admin console by ensuring sensitive actions are not implemented in a silo and, more importantly, helps prevent unauthorized or accidental changes from being made.
We understand each customer has their own unique definition of security and what constitutes a high-risk action. By introducing more granular controls, we’re giving our customers the authority to decide what features should be subject to multi-party approvals and who has the authority to review these actions, in a way that works best for them, rather than the experience being “all or nothing”.
Additional details
To further strengthen security around sensitive actions, admins now require both 'reviewer' and 'requester' privileges for a given action to conduct its MPA review. This ensures that the approving admin possesses the direct authority to perform the action themselves, reinforcing the integrity of the approval process and preventing approvals from individuals with inadequate underlying permissions.
Getting started
- Admins: This feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approval is OFF by default and can be turned on in the Admin console by going to Security > Multi-party approval settings. Visit the Help Center to learn more about multi-party approval for sensitive actions and pre-built admin roles.
- End users: There is no end user impact or action required.
Rollout pace
- Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 3015 days for feature visibility) starting on June 27, 2025
Availability
- Available to Google Workspace
- Enterprise Standard and Plus
- Education Standard and Plus
- Also available to Cloud Identity Premium customers