简体繁体 English

通过API以Google Apps超级管理员的身份为用户关闭两步验证

[英]Turn off 2-Step Verification for a user via API as a Google Apps super admin

原文 2015-08-04 11:55:41 3 2 authentication/ google-apps-script/ google-api/ google-apps

As part of our "off-boarding" process for employees leaving the company, as super admins we use the Google Apps Admin SDK Directory API to change the user's password so that they can no longer access their account. 作为离职员工的“离职”流程的一部分，作为超级管理员，我们使用Google Apps Admin SDK目录API更改用户的密码，以使他们无法再访问其帐户。 Then we log in to do a Google Takeout, reset passwords for their other accounts, etc. 然后，我们登录进行Google Takeout，重设其他帐户的密码，等等。

However, we recently decided to enforce 2-Step Verification for all of our users. 但是，我们最近决定对所有用户强制执行两步验证。 So now when we go to log in to their account, it sends a code to their phone. 因此，现在当我们登录他们的帐户时，它将密码发送到他们的手机。

Since 2-Step is enforced for their SubOrg, we can't even turn it off through the admin console. 由于2-Step是为其SubOrg强制执行的，因此我们甚至无法通过管理控制台将其关闭。 So all I can do now is to have the API move the user to a different SubOrg where the 2-Step enforcement setting is turned off, and then manually turn off 2-Step. 因此，我现在所能做的就是让API将用户移动到另一个SubOrg，在其中，两步强制实施设置已关闭，然后手动关闭了两步。

Is there any way to programmatically turn off 2-Step verification for an account? 有什么办法以编程方式关闭帐户的两步验证？

I looked in the Google Apps Admin SDK Directory API Users:update documentation, but it doesn't seem to have anything to do with 2-Step. 我查看了Google Apps Admin SDK目录API Users：update文档，但它似乎与两步无关。

The Reports API can find out the user's enrollment status, but it's read-only for reporting purposes. Reports API可以找出用户的注册状态，但出于报告目的，它是只读的。

2 个解决方案

What you are doing is the correct way to remove the 2-Step verification. 您正在执行的操作是删除两步验证的正确方法。 As you mentioned if it is enforced under a Organization Unit, removing it would get against that rule and that's why you are not able to do it unless you move the user to another OU where this is not enforced. 正如您提到的，如果在组织单位下强制执行该命令，则将其删除会违反该规则，这就是为什么除非您将用户移动到另一个未强制执行此命令的OU，否则您将无法执行此操作。

I was not able to find some way to do this programmatically. 我找不到以编程方式执行此操作的方法。 However, you could Suspend the user. 但是，您可以挂起用户。 After that, the user won't be able to access to that account. 之后，该用户将无法访问该帐户。 The account will still be visible in your Admin Console and all the information in the different Google services will remain attached to that account until you finally delete the account. 该帐户仍将在您的管理控制台中显示，并且在您最终删除该帐户之前，其他Google服务中的所有信息都将保留在该帐户中。

While the user is suspended, as admin, you can use service account to impersonate that user. 在用户被挂起后，您可以以管理员身份使用服务帐户来模拟该用户。 By doing so you can act as that user and edit permissions or transfer the ownership of the files contained in Drive to a different account so those files won't get lost. 这样，您可以充当该用户并编辑权限，或将云端硬盘中包含的文件的所有权转移到其他帐户，这样这些文件就不会丢失。

I hope this helps. 我希望这有帮助。

The easiest way to do this is to create a Group for which 2FA is exempt (see here: https://support.google.com/a/answer/2370108 ). 最简单的方法是创建一个免除2FA的网上论坛（请参阅： https : //support.google.com/a/answer/2370108 ）。 Then add the user to that group, then you can click "Disable 2FA" on the user page in the admin console. 然后将用户添加到该组，然后您可以在管理控制台的用户页面上单击“禁用2FA”。 I'm assuming you can do the same through the API. 我假设您可以通过API进行相同的操作。

The only downside is that this means you'll have a group through which it is possible to exempt users from the 2FA enforcement option. 唯一的缺点是，这意味着您将有一个组，可以通过该组将用户从2FA实施选项中排除。 So that's a risk you'll have to accept and a policy you have to carefully check. 因此，这是您必须接受的风险，也是必须仔细检查的政策。