What’s changing Admins can now label a Google Group as “Locked,” which will heavily restrict changes to group attributes (such as group name & email address) and memberships. This will help admins who sync their groups from an external source and want to prevent getting out of sync, or who want to restrict changes to sensitive groups. This feature will be available in open beta, which means no additional sign-up is required.
The Group Details page in the Admin console shows a “Locked” label on the group, with the message “You can’t update this group - it might be managed by an external identity system.”
Who’s impacted Admins
Why it’s important If you use third-party tools, like Entra ID, to manage group synchronization, you may encounter inconsistencies when modifications are made to these groups, like adding or removing members, for example. To help address this, we’re introducing the option to “lock” a group, which will prevent modifications within Google Workspace and help maintain synchronization with the external source.
When a group is locked, only certain admins* can modify:
The group name, description, email, and alias(es) Group labels Memberships (adding or removing members) and member restrictions Membership roles Delete the group Set up a new membership expiry
When a group is locked, access and content moderation settings are not affected, this includes:
Who can post Who can view members Who can contact members Membership removals due to an existing membership expiry Access or content moderation settings
*Super Admins, Group Admins, and Group Editors with a condition that includes “Locked Groups”
Additional details By default, the changes listed above will be restricted from end users, including group owners and managers of a locked group. If you want to also restrict some admins from making these changes in the Admin Console or APIs, you can assign them the Group Editor role with a condition that excludes locked groups.
The ability to lock or unlock a group using the “Locked” label is available to Super Admins, Group Admins, or a custom role with the “Manage Locked Label” privilege. Lock a group using the “Locked” group label in the Admin Console, or the
Cloud Identity Groups API .
Rollout pace Availability Available for Google Workspace:
Enterprise Standard and PlusEnterprise Essentials PlusEducation Standard and PlusAlso available to Cloud Identity Premium customers Resources
.png)
