I recently had cause to remind myself of Google Workspace administrator account best practices. Briefly:

  1. Set up separate admin accounts, e.g. [email protected] to exist side-by-side with [email protected]. Keep accounts individually identifiable, and ideally ensure there are multiple Super Admins in your organization.1

  2. Avoid using [email protected] for day-to-day use.

  3. One of these Super Admin accounts must be set as the primary account contact, but (due to the previous point) you’re unlikely to be checking the emails very often. Set up a “Secondary email” for the organization to receive alerts and updates.

  4. Enrol the admin account in Advanced Protection, which enforces 2SV with two physical security keys. Avoid losing the keys.

Interestingly the Super Admin will then have a personal email address and a personal phone linked to the account - I guess there’s some risk that those could be used as a vector for taking over the account, but presumably Advanced Protection makes this more challenging.

  1. There is GCP guidance on this topic which contradicts the idea of keeping Super Admin accounts individually identifiable - i.e. “not specific to a particular user”. I suspect it’s outdated and have sent feedback on that page. ↩︎