The Google for Education Community Platform

1.1) I would agree about the delegated access would most likely be the best route (assuming they don't also need the accounts Google Drive data, ie. something like marketing@domain.tld may have marketing materials, which should be in a Shared Drive rather, but that's unfortunately not the world/company we live in...sadly the previous Google Admins (some here, some gone) blame Google for not having all the functionality they have nowadays back in '09...)

1.2) if we were to go the route of delegated Gmail, we'd still want to enable/force MFA for these accounts, but what would that look like? Yubikey's that sit in a drawer and are labeled? MFA on an IT person's mobile phone?

2.1) Devils advocate and rhetorical: the Admin Google account that was created to set up the Workspace account originally, how many people have access to log into that account? More than one I bet in case the one person got hit by a bus or became rouge...so by design all organizations (I would imagine) are breaking the AUP...

2.2) "Luckily" we're in the USA and the users accessing these service type accounts are the intended people/recipient so the privacy law wouldn't apply. The people accessing the "admissions" account for example, are the people who have the legal authority/obligations to view this type of data. It's not some random employee who shouldn't be privy to the data.

1.1 Yes, common content should be in a Shared Drive anyway.

1.2 Random password that nobody knows will keep users out.

gam update user username password random 

That will set a crazy long password.

You could also add a Yubikey, or create backup codes and put in a safe.

2.1 Same with this account. It should be for emergency only, with credentials and 2FA safely tucked away.

2.2 Well, I have heard that many are forced to adhere to strict security rules to qualify for cyber insurance, so I wouldn't bet my house on that assumption.

Can you have multiple yubikeys associated with a single account?

Can you purchase licenses with the Access Control for a subset of users (say at most 300 accounts)? That would at least narrow down the login ability to our IP ranges which we own.

The Cyber insurance coverage is a good thought in practice, but when they say "you need data at rest encryption" and don't specify if "SED's" are good enough, I'm not sure they'd get as granular as what you're thinking. Insurance loves to be vague so they can reject claims.

Lets just say they didn't mention anything about revoking Local Administrator access to our users...and here we are...covered by insurance with everyone and their mothers having Local Administrator group membership ha..ha..ha... 😑😭

Multiple Yubikeys

Oh, yes, definitely! I usually have three connected to each account, as I have two I use for different devices, and one backup which I rarely connect.

Context Aware Access

No, this is part of Standard/Plus licencing, which is now based on active students, and not staff.

Local Admin

Yup, it's a delicate balance, but I've read so many articles on why local admin isn't the boogey man it's been painted as, since even as non-admin you can do serious damage to both local and remote files, if hit by ransomware. you just can't mess up the system OS files, but many ransomware processes don't even have that as a goal.

The multiple yubikeys may be the route for us for these type of accounts then, with a few spares. Is there a limit? I know when setting up Passkeys there was like a list of 5 items. So I wasn't sure if there is a limit of 5 per account, or as you get closer to 5 it expands further.

That is a fair point about ransomware not really targeting OS level stuff and going more so for files and folders the user has access to. But alas, that's also a wild west haha... People love asking us to add users to file share resources, but never to remove them...

One should always have more than one MFA method, but as nobody should need to log into the accounts you mentioned, all MFA methods should be archived. Orrrrr, well, you don't need to use special Yubikeys as your superadmins could just add their keys to the accounts.

Again, since nobody is supposed to ever log in, it doesn't really matter whose Yubikeys are added.

Would that be the account under "Account->Account Settings->Primary Admin"?

Exactly, yes, the primary admin.

It will be using MFA now that I realized it was not already set up as such...