Video summary

Context Aware Access for Google Workspace Admin Console - New Feature

Main summary

Key takeaways

Technology

Summary of the Video

The video explains a new Google feature for the Google Admin console called “Context-aware access”, which is used for conditional access policies specifically within the Admin console.

What the Feature Does

  • The Admin console is where admins manage identities, users, groups, and members across Google Workspace / Cloud Identity / Google Cloud enterprise apps.
  • With Context-aware access, admins can apply context-aware/conditional access policies to Admin console access, based on:
    • User context
      • Example: IP address and geographic location
    • Device context
      • Example: device posture, such as:
        • encryption status
        • minimum OS version
        • whether the device is company-owned vs personal
  • Access is then allowed or denied depending on whether the admin’s context matches the policy.

Prerequisites / Requirements Mentioned

You should be on one of the following:

  • Google Workspace Enterprise Standard or Plus, or
  • Google Workspace Education Standard or Plus

Additional conditions:

  • If using Cloud Identity, the feature is available only in Cloud Identity Premium
  • The person configuring it must be a Super admin
  • If a reseller manages the environment, the reseller may assist with setup (as mentioned by the speaker)
  • Applying conditional access to the Admin console carries a risk of admin lockout, so caution is emphasized

Best Practices / Safety Guidance (Lockout Prevention)

The speaker highlights precautions aligned with Google help guidance:

  1. Review the policy before applying it
  2. Pay attention to Google’s messages/warnings when applying policy to the Admin console
  3. Prefer targeting groups rather than individual users
  4. Ensure you have access to the Google support portal in case lockout occurs and Google support is needed to restore access

Step-by-Step Configuration (Demonstrated)

  1. Go to the Admin console
  2. Navigate to: Security → Access and data control → Context of your access
  3. Ensure it’s turned on
  4. Create a new “access level”
    • Example used: “allow access from US only”
    • Conditions shown:
      • Geographic location = United States
      • (Optional examples mentioned: requester IP subnet, device policy, OS version)
  5. Assign the access level to admin console access
    • The UI shows:
      • Workspace-native apps (e.g., Gmail/Drive)
      • configured third-party SAML apps (e.g., Asana)
    • A key UI concept is a “continuous evaluation point”
      • The speaker explains this as re-evaluating context continuously, not just at login
      • Example: if an admin logs in from the US but later changes location (e.g., VPN travel / moving countries), access may be revoked on the next attempt/API call
  6. Optional: Mobile applicability
    • If Admin console access can be available via mobile apps, there’s a checkbox to apply the policy to mobile apps
    • The speaker mentions iPhone/Android availability, but notes uncertainty

Demo / Result of Applying the Policy

After configuring the policy:

  • The speaker first verifies successful login from the allowed context (US)
  • Then a VPN is used to change location to another country (example: India)

Outcome:

  • Admin console access is denied
  • An error message appears (customizable), such as:
    • “you can’t log in… not authorized…”
  • Other Google services like Google Docs remain accessible because the policy was applied only to the Admin console (not other apps)

Main Speakers or Sources

  • Speaker/source: goldie (referred to as “hey google admins this is goldie again…”)
  • Primary referenced source: Google Help / Google support guidance (used for best practices and lockout prevention)

Original video