dbrd

Google Workspace MFA Enforcement: A 30-Minute Playbook

NIS2 and DSGVO expect Google Workspace MFA enforcement, not just MFA opt-in. The 30-minute rollout for DACH SMEs: policy, exceptions, audit trail.

Google Workspace MFA enforcement playbook with policy and audit steps for DACH SMEs

Google Workspace MFA Enforcement: A 30-Minute Playbook

A 34-person tax advisory in Hessen had every employee using MFA on their Google accounts. Each login prompt, each phone tap, each security key — all present. The audit trail they showed to their BaFin-aligned assessor still failed the first check: “Prove MFA is enforced for 100% of privileged accounts.” It wasn’t. Two contractors had been left on a non-enforced OU. Two service accounts running legacy reporting had no MFA at all. The fix took 31 minutes. The audit pass took three days. The playbook below is what we run for every managed Google Workspace tenant in the DACH region, adapted from the same rollback-safe steps.

The German regulatory picture makes MFA enforcement non-optional. NIS2 (Umsetzungsgesetz in force since October 2024) names multi-factor authentication as a baseline requirement for “important” and “essential” entities, and German mid-market firms routinely fall into scope through supply-chain contractual clauses. DSGVO Art. 32 requires “appropriate” technical measures; BaFin’s BAIT-Mar risk catalogue expects MFA on any account with admin or financial-systems access. “MFA is available” does not satisfy any of these. Enforced MFA — with a documented exception process and a quarterly attestation — does.

Section 1: Three Toggles That Cover 95% of Compliance Risk

You don’t need a zero-trust rebuild. You need three settings on, two settings off, and one report archived weekly.

Toggle 1 — Enforce MFA for all users. In the Admin Console: Security > Authentication > 2-Step Verification > “On for all users.” This converts “opt-in MFA” into “required MFA.” The grace period defaults to 24 hours, which lets users self-recover before a hard cutover. Set it to 7 days if you have field staff or rotating contractors.

Toggle 2 — Block reuse of FIDO security keys across accounts. Security > Authentication > Allow users to trust a device > Off. This stops users from registering one key as a trust anchor for every Google service.

Toggle 3 — Disable app passwords. Apps > Google Workspace > Settings for Drive/ Gmail > “Allow users to authorize access to Google APIs” > Off for everything except service accounts with documented justification.

The two settings to leave alone: SMS as a second factor (it stays as a fallback for staff without signal coverage) and backup codes (they stay enabled because they are the documented exception path).

For audit purposes, the audit-defensible line in your policy reads: “MFA is enforced for all human user accounts. Service accounts are excluded per the exception register, reviewed quarterly, with each exclusion logged in the security event register.”

Section 2: The 30-Minute Enforcement Cutover

  1. Minutes 0-5 — Disable new opt-outs. Admin Console > Security > 2-Step Verification > Settings > “Let users turn on 2-Step Verification” > Off. This stops new users from skipping MFA on activation.

  2. Minutes 5-10 — Inventory exception cases. Run a directory export: gam print users mfa configured mfaenabled 2stepverificationenrolled > mfa-audit-trail-$(date +%Y%m%d).csv. The output flags the three categories you need to act on: (a) accounts with MFA not configured, (b) service accounts with MFA enabled but not enforced, (c) suspended accounts that should be excluded from the count.

  3. Minutes 10-15 — Force enroll remaining users. Admin Console > Security > 2-Step Verification > “Bulk enroll users” > upload the non-configured list. They get a forced enrollment flow on next login.

  4. Minutes 15-20 — Resolve service-account exceptions. Service accounts cannot complete interactive MFA. The audit-defensible exception path is: (a) assign each service account to a named human owner, (b) restrict OAuth scopes to only what the service needs, (c) require IP allowlisting via Context-Aware Access, (d) log every login to a SIEM with 90-day retention.

  5. Minutes 20-30 — Enable Context-Aware Access. Security > Context-Aware Access > Create assignment > “Block access on unmanaged devices” for users handling financial or HR data. This is the second leg of the stool: even with MFA, an unmanaged device on a hotel WiFi network cannot reach Gmail.

Archive the CSV output to your governance folder. That single file — dated, signed, and reviewable — is the audit artefact a BaFin assessor will ask for in the first hour of any interview.

Section 3: The Exception Register That Survives an Audit

“Enforced” is a binary concept in policy and a graded concept in practice. Auditors accept the graded version if you can defend each exception in writing. The exception register lives outside Google Workspace — typically in the same governance folder as the CSRF and audit logs — and contains, for every excluded account:

  • Account email and type (service account, break-glass admin, vendor integration)
  • Business justification in one sentence
  • Compensating controls (IP allowlisting, scope restriction, monitoring)
  • Owner (named human with the budget authority to retire the exception)
  • Review date (quarterly, with a yes/no outcome)
  • Sign-off (managing director or CISO level, not just IT)

A 35-person Mittelstand firm will run two to four permanent exceptions (break-glass admin, M365 sync service account, payroll integration, archive auditor). Larger firms run more. The register is the answer when an assessor asks “show me every MFA exception and tell me why it exists.”

Section 4: Quarterly Attestation in Three Questions

Once per quarter, run the same three questions. If you can answer “yes” to each with a date and a file location, you pass.

  1. Is MFA enforced for 100% of human accounts? Pull the gam report. Compare to the directory. Document the gap, if any.
  2. Is every exception in the register still justified? Walk each row. Remove the ones that no longer apply. Update compensating controls on the ones that remain.
  3. Is the audit trail archived for the quarter? Save the gam CSV output to the governance folder with a date filename. Add it to the audit log index.

Total time per quarter: 45 minutes. Most of that is waiting for the report to export. For a 200-person organization, plan two hours the first time, 45 minutes per subsequent quarter.

The Takeaway

MFA enforcement for Google Workspace in a DACH SME is not a months-long security programme. It is a 30-minute cutover, a six-row exception register, and a 45-minute quarterly review. The tools are already in your Admin Console. The audit-defensible version is “enforced, with exceptions documented and reviewed quarterly.” If your tenant is on MFA opt-in right now — or if you don’t have documentary proof that exceptions exist for a reason — start the cutover this week. Managed Google Workspace handles the full rollout as part of the Standard tier; the audit-grade version adds the exception register and quarterly attestation to the Plus tier.

© 2026 dbrd. All rights reserved.