Your organization has implemented Single Sign-On (SSO) for the multiple cloud-based services it utilizes. During authentication, one service indicates that access to the SSO provider cannot be accessed due to invalid information.
What should you do?
https://support.google.com/a/answer/2463723?hl=en
Several customers have reported receiving fake collection notices from your company. The emails were received from accounts.receivable@yourcompany.com, which is the valid address used by your accounting department for such matters, but the email audit log does not show the emails in question. You need to stop these emails from being sent.
What two actions should you take? (Choose two.)
Change the password for the suspected compromised account:
Sign in to the Google Admin console.
From the Admin console Home page, go to 'Users.'
Find and select the account 'accounts.receivable@yourcompany.com.'
Click on 'Security' and then 'Password.'
Follow the instructions to change the password.
Configure a Sender Policy Framework (SPF) record for your domain:
Log in to your domain host (e.g., GoDaddy, Bluehost).
Locate the page for updating your domain's DNS records.
Add a new TXT record for your domain with the SPF rule, typically something like:
v=spf1 include:_spf.google.com ~all
Save the changes to update the DNS records.
Changing the password helps secure the compromised account, while configuring SPF helps prevent email spoofing, ensuring that fake emails are less likely to be delivered as though they come from your legitimate email address.
Google Workspace Admin Help - Change or reset a user's password
Google Workspace Admin Help - Set up SPF records
Your organization has a data loss prevention (DLP) rule to detect and warn users about external sharing of sensitive files in Google Drive You also want to prevent external users from downloading files with viewer permissions to their local machines What should you do?
Access Admin Console: Log in to the Google Admin console using your administrator account.
Navigate to DLP Rules: Go to Apps > Google Workspace > Drive and Docs > Data loss prevention.
Create a New Rule: Click on Create a rule and choose to start with a template or create a custom rule.
Set Content Detector Conditions: Use the existing content detector conditions that identify sensitive files.
Configure Actions: Set the action to Disable download, print, and copy for commenters and viewers. This ensures that external users with viewer permissions cannot download the files.
Apply Rule to Relevant OUs/Groups: Set the scope of the rule to the specific organizational units or groups where you want this restriction to apply.
Save and Implement: Save the rule and ensure it is activated. This will enforce the new restrictions for sensitive files shared externally.
Google Workspace Admin Help: Data loss prevention for Drive
Google Workspace DLP Best Practices
Your organization recently implemented context-aware access policies for Google Drive to allow users to access Drive only from corporate managed desktops. Unfortunately, some users can still access Drive from non-corporate managed machines. What preliminary checks should you perform to find out why the Context-Aware Access policy is not working as intended? (Choose two.)
To ensure that the Context-Aware Access policy is working correctly, perform the following checks:
Confirm Google Workspace License:
Verify that the user has a Google Workspace Enterprise Plus license. Context-Aware Access is a feature available only to Enterprise Plus customers.
In the Admin console, navigate to Billing > Subscriptions and confirm the license type assigned to the user.
Check Endpoint Verification:
Ensure that Endpoint Verification is installed and active on users' desktops.
Go to the Admin console, navigate to Devices > Endpoint Verification.
Check the list of devices to confirm that Endpoint Verification is installed and reporting the status of users' devices.
Additional Steps:
Ensure that policies are correctly configured and applied to the relevant Organizational Units (OUs).
Verify that the Context-Aware Access policies are correctly set up in Security > Context-Aware Access.
By confirming the correct license and ensuring Endpoint Verification is installed, you can troubleshoot and resolve issues related to Context-Aware Access policy enforcement.
Set up Context-Aware Access
Endpoint Verification overview
Your client is a multinational company with a single email domain. The client has compliance requirements and policies that vary by country. You need to configure the environment so that each country has their own administrator and no administrator can manage another country.
What should you do?
Create Organizational Units (OUs):
In the Google Workspace Admin console, go to 'Directory' > 'Organizational units'.
Create separate OUs for each country.
Assign Admin Roles:
Go to 'Admin roles' in the Admin console.
Create custom admin roles with permissions restricted to managing users, groups, and settings within their specific OU.
Ensure that the role does not grant permissions to manage other OUs.
Assign Country-Specific Admins:
Assign the newly created admin roles to the appropriate administrators, ensuring they have control only over their respective country's OU.
Google Workspace Admin Help: Create and manage organizational units
Google Workspace Admin Help: Admin roles
