Tag Archives: Admin Console

Prevent the downloading, printing, or copying of files by all users with Enhanced IRM for Google Drive Data-Loss Prevention

What’s changing 

Google Drive’s Information Rights Management (IRM) capability protects documents from data exfiltration actions, specifically downloading, printing, and copying. This is useful for making sure that sensitive content is protected from data leakage. 


Historically, this feature has only been applicable to users with either the “viewer” or “commenter” role, which has left administrators unable to apply the setting to users with either “owner” or “editor” roles. To address this, we’re expanding IRM to be applicable to all users, including file editors and owners, when it is applied by a Data Loss Prevention (DLP) rule.

The new Enhanced IRM action, as seen in the DLP Rule creation flow.



Additional details

When an editor or owner is affected by IRM, they will retain the ability to copy and paste document content, but they may only do so within that document. Attempting to paste content outside of the document will not succeed. For more information, please refer to the help center content.


Getting started

  • Admins: DLP rules and CAA levels are applied per-file based on how these rules are configured.
  • End users: Only administrators can set IRM for all user roles on a file. File owners may still only set IRM for viewers and commenters. If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.
A view of the file owner’s IRM setting when an overriding administrator setting is present.

Rollout pace


Availability

  • IRM controls are available for all Google Workspace customers
  • Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
    • Frontline Standard
    • Enterprise Essentials and Enterprise Essentials Plus

Resources


Control whether your users can add account recovery information with two new admin settings


What’s changing

We’re launching two new settings that will allow admins to control whether their users can add recovery email information and phone information to their Google Workspace account. 

By default, the ability to add a recovery email or phone number is ON for most Workspace users and K-12 super admins, but it should be noted that:

  • Adding email and phone recovery information is OFF by default for K-12 users. 
  • Phone number recovery collection is always enabled for super admins regardless of whether it’s disabled in the admin console.

Any changes admins make to these settings will overrule the existing organizational unit (OU) settings, except for super admins as stated above.

Security > Account Recovery > Recovery information


Who’s impacted

Admins and end users


Why it’s important

Adding recovery information to your account is helpful for keeping users’ accounts more secure, recovering users’ accounts as well as evaluating security related events, such as risky logins or re-authentication attempts. However, we know that there are a variety of reasons that customers would want to prevent their users from doing so. For example, turning recovery information off can help customers stay compliant with local privacy regulations, such as GDPR. Or admins can opt to add recovery information themselves. This update gives admins the control to decide which configuration makes the most sense for their users.

Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers.

Resources


Available in open beta: Set up Single-Sign On with custom OpenID Connect profiles

What’s changing 

Beginning today, admins now have the option to set up a custom OpenID Connect (OIDC) profile for single sign-on (SSO) with Google as their Service Provider. OIDC is a popular method for verifying and authenticating the identities - this update gives admins more options for their end users to access cloud applications using a single set of credentials. Previously, only OIDC with pre-configured Microsoft Entra ID profile was supported in addition to SAML.

Custom OIDC profiles can be configured in the Admin console at >Security > Authentication > SSO with third party IdP



Getting started


Rollout pace


Availability

  • Available for all Google Workspace customers except Google Workspace Essentials Starter customers and Workspace Individual Subscribers.
  • Also available for Cloud Identity and Cloud Identity Premium customers

Resources


Available in open beta: migrate messages from Microsoft Teams to Google Chat

What’s changing

Beginning today, we’re expanding our data migration experience to include the ability for Google Workspace admins to migrate conversations  from channels in Microsoft Teams to spaces in Google Chat, making it easier for organizations to onboard and deploy Chat. 

This can be done within the Admin console in a few steps:

  • First, connect to your Microsoft account.
  • Then, upload a CSV of the teams from where you want to migrate the messages. You can specify the source to destination identity mapping by uploading a CSV of the email ID’s from source to target.
  • Next, you’ll enter the starting date for messages to be migrated from Teams. Then you can begin your data migration. 
  • Finally, you’ll complete the migration by making migrated spaces, messages and related conversation data available to Google Workspace users (see our Help Center article for specific details on supported data types).

Starting a chat migration in the admin console

When a migration starts, the UI displays a visual report that breaks down tasks with individual progress bars for tasks that are successfully completed, skipped, failed or have warnings.


The final step to complete the migration is to roll out spaces, making migrated spaces and their content available to users.





Additional details

  • The Chat migration tool doesn’t delete or modify existing Google Chat spaces or messages. 
  • You can also run a delta migration, which will migrate any messages added to Teams channels since the primary migration. Messages that are already successfully migrated are skipped.
  • Once a migration is complete, you can export a report that contains detailed information regarding content that skipped, failed or had warnings during the migration.
  • You can find more information in our Help Center about migrating other forms of data from different types of source accounts.


Getting started

Rollout pace

  • This feature is available now.

Availability

  • Available for all Google Workspace customers

Resources


New Google Chat usage reports provide deeper insights into user engagement

What’s changing

From the introduction of spaces, huddles, voice messages, and more, Google Chat has added major new features and transformed significantly over the past several years. As a result, usage reports for Google Chat are evolving as well. Beginning today, we’re pleased to introduce new, information-rich usage reports to help Workspace administrators understand how their teams are using Google Chat. 


The charts being added are: 
  • User activity: the number of users based on two types (engaged and communicating) in the last 1 day and 28 days over a period of the last 180 days. 
    • “Engaged” users: these users read conversations. These users may, but are not required to, send messages and react to messages.
    • “Communicating” users: these users send or react to messages. The number of communicating users is a subset of engaged users. 
  • Messages sent: the number of messages sent by users of your organization in 1 day, 7 day, and 28 day period over a period of the last 180 days. 
  • Messages sent by conversation type: the number of messages sent in 1 day in direct messages, group and space conversations over a period of the last 180 days. 
  • Messages sent by type: the number of messages sent in 1 day broken out by message type: regular message, voice or video, huddle over a period of the last 180 days. 
  • Messages sent with attachment: the number of messages sent with or without attachments in 1 day over a period of the last 180 days.
  • Messages sent to conversations with external participants: the number of messages sent to conversation that include or may include users external to your organization over a period of the last 180 days.
  • Created spaces*: the number of spaces created by users of your organization in 1 day over a period of the last 180 days 
  • Active spaces*: the number of spaces owned by your organization in 1 day over a period of the last 180 days.

Updated Apps Reports for Google Chat




Admins can view user level data for Google Chat, as you can with Gmail, Drive, and other apps today. Admins can also view how many conversations were read, how many messages were sent, how many attachments* were uploaded, and more. They can also sort this information by specific organizational units or groups to assess adoption or usage within specific parts of organization

User level reporting for Google Chat



*Active Spaces and Created Spaces charts may show different numbers from those in Active Rooms and Active Rooms legacy charts. Active Spaces and Created Spaces charts only count conversations of ‘space’ type; Active Rooms and Created Rooms count conversations of space group conversation types.
*Attachments can be viewed in the security investigation tool.

Who’s impacted

Admins

Why it’s important

The updated reporting aligns trackable metrics with the current Chat experience and provides essential data for analyzing and driving adoption, configuring safety features, and more. 

For instance, admins can gain a deeper understanding of how their users are engaging with chat, differentiating between those who actively participate (send, react) and those who are primarily only reading messages. Organizational leaders  can use these insights to assess the need for further product training to boost adoption. Additionally, monitoring the volume of messages sent to external users can signal to admins that safety measures should be implemented, like establishing data loss prevention (DLP) rules to safeguard sensitive information.

Additionally, Chat is now represented in app usage reports, alongside other products like Google Drive and Gmail. While each set of apps has their own unique set of metrics, admins now have another data set to draw on when analyzing how their users are interacting with Google Workspace apps

Additional details

With the implementation of these new, information rich charts, we’re planning to remove the following charts on July 1, 2025:
  • Active Rooms
  • Created Rooms
  • Active Users
  • Messages Posted

Also note that:
  • Some metrics will take time to populate, such as the 7-day or 28-day views.
  • If you've used the 'Manage Reports' or 'Manage Columns' features to customize the App Reports or User Reports pages, you'll need to adjust your settings to see the new Google Chat charts and columns. These customization features, which allow you to hide, unhide, and rearrange the order of chats or columns, will prevent the new Google Chat data from automatically appearing in your reports. 

Getting started

  • Admins: 
  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available to all Google Workspace customers

Resources

Now generally available: the Groups Editor & Groups Reader roles can now be provisioned for specific group types

What’s changing

At the beginning of the year, we launched the ability to assign the Groups Editor and Groups Reader roles for security groups or non-security groups in open beta. Beginning today, this feature is now generally available. Groups Admins have access to all groups. The new roles of Groups Editor and Groups Reader offer delegated admin permissions for groups, and can use conditions to limit access to sensitive groups as needed.

Getting started: 

Gemini for Workspace usage reports now include Gemini usage per app interactions

What’s changing

Starting today, we’re introducing additional usage metrics on the Gemini for Workspace reports in the Admin console. This report will now provide admins additional information about Gemini usage per app by users, specifically:

  • The number of times Gemini content summarization and content generation features were used in Gmail, Docs, Slides, Sheets by users.
  • The number of messages exchanged when chatting with the Gemini App and Gemini in the sidepanel of various apps by users.

Gemini usage reports in the Admin console


Getting started

  • Admins: Admins can access these reports via the admin  console under Menu > Generative AI > Gemini reports. Visit the Help Center to learn more about reviewing Gemini usage in your organization.
  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available for Google Workspace customers with the Gemini Business, Gemini Enterprise, Gemini Education and Gemini Education Premium add-ons.

Resources


Available in open beta: prevent sensitive changes by locking Groups

What’s changing

Admins can now label a Google Group as “Locked,” which will heavily restrict changes to group attributes (such as group name & email address) and memberships. This will help admins who sync their groups from an external source and want to prevent getting out of sync, or who want to restrict changes to sensitive groups. This feature will be available in open beta, which means no additional sign-up is required. 

The Group Details page in the Admin console shows a “Locked” label on the group, with the message “You can’t update this group - it might be managed by an external identity system.”


Who’s impacted

Admins

Why it’s important

If you use third-party tools, like Entra ID, to manage group synchronization, you may encounter inconsistencies when modifications are made to these groups, like adding or removing members, for example. To help address this, we’re introducing the option to “lock” a group, which will prevent modifications within Google Workspace and help maintain synchronization with the external source. 

When a group is locked, only certain admins* can modify:

  • The group name, description, email, and alias(es)
  • Group labels
  • Memberships (adding or removing members) and member restrictions
  • Membership roles
  • Delete the group
  • Set up a new membership expiry

When a group is locked, access and content moderation settings are not affected, this includes:

  • Who can post
  • Who can view members
  • Who can contact members
  • Membership removals due to an existing membership expiry
  • Access or content moderation settings

*Super Admins, Group Admins, and Group Editors with a condition that includes “Locked Groups”

Additional details

By default, the changes listed above will be restricted from end users, including group owners and managers of a locked group. If you want to also restrict some admins from making these changes in the Admin Console or APIs, you can assign them the Group Editor role with a condition that excludes locked groups. 

The ability to lock or unlock a group using the “Locked” label is available to Super Admins, Group Admins, or a custom role with the “Manage Locked Label” privilege. Lock a group using the “Locked” group label in the Admin Console, or the Cloud Identity Groups API.


Getting started

Rollout pace

Availability

Available for Google Workspace:
  • Enterprise Standard and Plus
  • Enterprise Essentials Plus
  • Education Standard and Plus
  • Also available to Cloud Identity Premium customers

Resources


Assign Calendar resources to organizational units

What’s changing

Admins can now assign Calendar resources, such as rooms, projectors, or company cars, to specific organizational units. Upon doing so, the resource will be governed by the policies and settings of the assigned organizational unit (OU), including data location policies.


Getting started


Rollout pace


Availability

  • Available for Google Workspace Enterprise Plus and Assured Controls customers

Resources


Available in beta: Convert your client-side encrypted spreadsheets after a Vault or Takeout export

What’s changing

After a Vault or Data export (Takeout), admins can now convert their exported client-side encrypted spreadsheets to Excel files. This allows organizations to maintain access to and analysis of sensitive data in a portable format even after it has been exported from Google Workspace. 

Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.


Getting started

  • Admins: Client-side encryption can be enabled at the domain, OU, and Group levels (Admin console > Data > Compliance > Client-side encryption). Visit our Help Center to learn more about client-side encryption.

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources