Google Workspace Updates: Protect sensitive Google Vault actions with multi-party approvals (original) (raw)

December 10, 2025

• Google Vault
• Rapid Release
• Scheduled Release

What’s changing

We are extending multi-party approvals (MPA) to Google Vault. Last year, we launched MPA to protect customers from malicious actors taking sensitive admin actions by requiring that one admin must approve certain actions initiated by another.

Going forward, admins can configure multi-party approvals for the following sensitive Google Vault actions:

• Google Vault: create export: Requiring approval before a search query can be exported.

When enabled, if an admin attempts to perform these actions in the Vault interface, they will see a "Multi-party approval required" prompt. The action will not be executed until a separate, authorized administrator reviews and approves the request within the Admin console.

Vault admins have access to highly sensitive actions, including the ability to search and export specific sensitive user data or large amounts of data across an entire domain.

Multi-party approval adds an extra layer of security for these sensitive actions by ensuring no sensitive action happens in a silo and, most importantly, helps prevent unauthorized or accidental changes from being made. This dual-authorization mechanism significantly reduces the risk of unauthorized or malicious actions, such as a bad actor attempting to exfiltrate confidential information or perform unapproved data deletions.

Additional details

• Request workflow: Once a request is submitted, approvers (super admins or delegated admins with the multi-party approval role) receive an email notification.
• Expiration: Requests expire after three days if not approved.
• Granular control: Admins can choose to enable MPA specifically for Vault actions without enforcing it on other settings, or vice versa, via the Multi-party approval settings page.
• Delegation: Super admins can delegate the responsibility of approving these requests to other leaders using the "Multi-party approval" system role.
• API: Multi-party approval will not be required for exports triggered via the API and should not impact downstream automation via the API.

Getting started

• Admins: This feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approval for Vault exports is OFF by default and can be turned on in the Admin console. Visit the Help Center to learn more.

Rollout pace

• Rapid and Scheduled Release domains: Available now

Availability

Available to Google Workspace

• Enterprise Standard and Plus
• Enterprise Essentials Plus
• Education Standard and Plus

Resources

• Google Vault Help: Getting Started with Vault Search and Export