# Configure Common Security Settings

## Introduction to Exercise

As an admin, there are some basic security settings you can enable and adjust in the Admin console to improve the overall security of your Cloud Identity instance.

### **Exercise Scenario**

In this exercise, you’ll modify and enable security features and settings for your entire domain.

### **Exercise Directions**

1\. [Sign into your Google Admin console<svg aria-labelledby="cds-react-aria5472061106-:r13m:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk-" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user with **your administrator account name and password**.

2\. From the **Admin console dashboard,** click on the **Security icon**.

3\. Click on **Basic settings** to ensure **security features and settings are enabled** in the following sections:

- Password Recovery
- 2-step verification
- Less secure apps

4\. By default, only a domain administrator can reset a user’s password. The **Password Recovery** setting is applicable where you want to allow users to recover their own passwords. This achieved through the use of a recovery email address or phone number. To enable user password recovery, click the **Enable/disable non-admin user password recovery link**, and check **Enable non-admin user password recovery**.

**Note:**

- *See* [*Set up password recovery for users*<svg aria-labelledby="cds-react-aria5472061106-:r13o:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--1" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/a/answer/33382) *for details on how to let your users reset their own passwords.*

5\. In the **2-Step Verification section**, check **Allow users to turn on 2-step verification**.

- This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually.
- Once all users have enrolled in 2-Step Verification, you can enforce 2-step verification.

**Note:**

- *See* [*Set up 2-Step Verification for your domain*<svg aria-labelledby="cds-react-aria5472061106-:r13q:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--2" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/184711?hl=en&ref_topic=2759193) *for more information on how to enable 2-Step Verification, account recovery recommendations, and tips for deploying to your users.*

6\. In **Less secure apps**, you can control access **to third-party apps that use less secure sign-in technology**. You can choose to deny access for these apps, which we recommend, or choose to allow access despite the risks.

- Click on the link **Go to settings for less secure apps &gt;&gt;**. In the window that opens, your list of organizational units will be displayed in the left sidebar.
- **Click on the organizational unit to which you wish to apply the setting**.

**Note:**

- *By default, the box to Allow users to manage their access to less secure apps is checked.*
- *See* [*Control access to less secure apps*<svg aria-labelledby="cds-react-aria5472061106-:r13s:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--3" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/6260879?hl=en&ref_topic=7558428)*.*

7\. Expand the **Password management** section. This is where password policies are set.

You can enforce strong passwords by checking the **Enforce strong password** box. You can also set a **Password length** policy by setting minimum and maximum length values. It is recommended to keep the minimum password length to at least 8 characters. You can enforce the length and strength policies when your users next login to their account or when they next change their password. The default enforcement is when the password is next changed.

The **Allow password reuse** box allows you to control whether your users can reuse their old passwords. We recommend you leave this option unchecked to prevent reuse.

You can also force your users to change their passwords after a certain number of days or allow them to never expire with the **Password expiration** setting. We recommend you allow passwords to never expire.

**Note:**

- *See* [*Manage your users' password settings*<svg aria-labelledby="cds-react-aria5472061106-:r13u:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--4" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/a/answer/139399) *for more information on how to help keep your user’s account secure.*
- *See* [*Create a strong password &amp; a more secure account*<svg aria-labelledby="cds-react-aria5472061106-:r140:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--5" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/accounts/answer/32040) *for more information on how to choose a strong password.*

8\. In **API reference**, check **Enable API access** to enable programmatic access to your Cloud Identity domain.

**Note:**

- *You have access to the Admin SDK—a collection of Application Programming Interfaces (APIs), so you can build customized administrative tools for your Google products. Before you can use the Admin SDK, you need to enable API access.*
- *See* [*Enable API access in the Admin console*<svg aria-labelledby="cds-react-aria5472061106-:r142:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--6" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/60757?hl=en)

9\. In **Set up single sign-on (SSO)**, you can enable your users access to many applications without having to enter their username and password for each application.

- In the Setup SSO with Google identity provider option, you can [set up SSO using Google as the identity provider<svg aria-labelledby="cds-react-aria5472061106-:r144:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--7" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/6087519?hl=en) using Security Assertion Markup Language (SAML), the user can use their managed Google account credentials to sign in to enterprise cloud applications.
- In the Setup SSO with third party identity provider option, you can [set up SSO using a third-party as the identity providers<svg aria-labelledby="cds-react-aria5472061106-:r146:-title" class="css-8blerm" fill="none" focusable="false" height="16" id="bkmrk--8" role="img" viewbox="0 0 20 20" width="16"><path d="M4.5 17c-.412 0-.766-.147-1.06-.44A1.445 1.445 0 013 15.5v-11c0-.412.147-.766.44-1.06.294-.293.648-.44 1.06-.44h4.75c.213 0 .39.071.534.214a.72.72 0 01.216.532c0 .21-.072.39-.216.535a.72.72 0 01-.534.219H4.5v11h11v-4.75c0-.213.072-.39.214-.534a.72.72 0 01.532-.216c.21 0 .39.072.535.216a.72.72 0 01.219.534v4.75c0 .412-.147.766-.44 1.06-.294.293-.647.44-1.06.44h-11zm11-11.438L8.583 12.48a.681.681 0 01-.52.219.758.758 0 01-.521-.24.729.729 0 010-1.062L14.438 4.5H12.75a.728.728 0 01-.534-.214.72.72 0 01-.216-.532c0-.21.072-.39.216-.535A.72.72 0 0112.75 3h3.5c.212 0 .39.072.534.216A.726.726 0 0117 3.75v3.5c0 .213-.072.39-.214.534a.72.72 0 01-.532.216.734.734 0 01-.535-.216.72.72 0 01-.219-.534V5.562z" fill="currentColor"></path></svg>](https://support.google.com/cloudidentity/answer/60224?hl=en&ref_topic=6348126) so that Google is the service provider and users authenticate through a third-party Identity provider.

Congratulations! You can now view and modify basic security settings for your entire domain.