← All controls

63 Travel-mode accounts

For a border crossing or a trip into a hostile jurisdiction, the traveller carries a sanitised identity: a travel account or travel OU with no admin roles, no Vault, no sensitive shared drives, a geo-restricted access policy and a short session. Access is granted by group, so moving the person between groups is the whole switch. The primary identity is suspended for the duration where the trip allows it, and its sessions and tokens are revoked on return before membership is restored.

Caveats

Setup steps

  1. Travel OU: Context-Aware Access geo policy (Enterprise Standard+, Education Standard+, Frontline Standard+, Enterprise Essentials Plus and Cloud Identity Premium; silently ignored on other editions) + short session length + no admin roles

    Protect your business with Context-Aware Access ↗ Set session length for Google services ↗

  2. open ↗
    Admin console screen — Directory > Groups (swap the travel identity's group membership)

    https://admin.google.com/ac/groups · captured 2026-07-15

    Directory › Groups
    gam update group sensitive-team remove member user@…
    gam update group travel add member user@…

    Add or invite users to a group ↗ Remove or ban users from a group ↗

  3. open ↗
    Admin console screen — Directory > Users (suspend / restore the travelling identity)

    https://admin.google.com/ac/users · captured 2026-07-15

    Directory › Users
    gam update user user@… suspended on|off

    Suspend a user temporarily ↗ Restore a suspended user ↗

  4. gam user user@… signout
    gam user user@… deprovision   # revokes tokens, app passwords and backup codes

    Sign a user out of a managed Google Account ↗

Ongoing maintenance

How to verify

  1. Before a trip: confirm the travel account holds only the trip’s data, sits in the travel OU with its tighter CAA level, and the traveller’s primary account is suspended or locked for the duration.

v0.1.3Prevent policy #25 · #14, #30 ↗