# 22 Native multi-party approval

> v0.1.3 · role: Prevent · edition: Ent Std+ / Edu Std+ / Ent Ess Plus · [policy: #32 · #4](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Multi-party approval puts a second admin between a sensitive setting and its change: the edit lands in a request queue and does nothing until a second authorized admin approves it. You choose which settings are protected via per-setting checkboxes, covering what an attacker with a stolen super-admin session reaches for first — 2-Step Verification, account recovery, Advanced Protection, Google session control, login challenges and passwordless — plus domain-wide delegation, SSO with third-party IdP, Context-Aware Access, domain settings, Calendar, Groups sharing and Vault export creation. It is the tenant's structural answer to a single compromised super admin.

Documentation: [Multi-party approval for sensitive actions](https://knowledge.workspace.google.com/admin/security/multi-party-approval-for-sensitive-actions)

## Caveats

- Only the settings you tick are protected — the default set is narrow, and an unticked sensitive setting is silently unprotected.
- MPA needs at least two super admins and deliberately makes one insufficient — which is exactly why break-glass (№20) and split custody (№36) must be designed before you turn it on.
- Approval requests expire — a change nobody approves quietly never happens, which looks like a console bug to the admin who requested it.
- Enterprise Standard/Plus, Education Standard/Plus and Enterprise Essentials Plus only — on Business tiers this screen does not exist.

## Setup steps

1. Turn multi-party approval on for the tenant. — `Security › Authentication › Multi-party approval settings`

   - **Require multi-party approval for sensitive actions** = checked, then Save

2. Tick the settings to protect — checkboxes cover 2-Step Verification, account recovery, Advanced Protection, Google session control, login challenges and passwordless, plus domain-wide delegation, SSO with third-party IdP, Context-Aware Access, domain settings, Calendar, Groups sharing and Vault export creation. An unticked setting stays unprotected. — `Security › Authentication › Multi-party approval settings`

   Protected settings (per-setting checkboxes): 2SV, account recovery, Advanced Protection, Google session control, login challenges, passwordless, domain-wide delegation, third-party IdP SSO, Context-Aware Access, domain settings, Calendar, Groups sharing, Vault exports

3. Make a benign change from a second admin account and confirm it lands in the requests queue rather than taking effect — this is the only proof the control is live. — `Security › Authentication › Multi-party approval requests`

   Pending request visible; approve/reject from a different admin with the relevant privilege or the MPA review privilege (2SV, account recovery, domain-wide delegation and third-party IdP SSO changes require a super admin)

## How to verify

1. With one super admin, attempt a protected action (e.g. change a 2SV setting) — the console must park it pending a second admin’s approval rather than applying it.

## Settings screens

- Security > Authentication > Multi-party approval settings
  - console: https://admin.google.com/ac/managedsettings/352555445522/multipartyapprovalsettings
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/352555445522/multipartyapprovalsettings.png
- Security > Authentication > Multi-party approval requests
  - console: https://admin.google.com/ac/list/security/mpa
  - screenshot: ../screenshots/admin.google.com/ac/list/security/mpa.png
