Onboarding new users should be simple, yet the default settings for 2-step verification (2FA) within a Google Workspace can be problematic. When you enable 2FA for an organizational unit, new users encounter an error when they first log into Google Workspace by default:
Your organization’s policy requires you to enroll in 2-step verification. Please contact your administrator for more information.
Technically the truth, yet not a great user experience. Brand new users should still have the chance to set up 2FA during their initial login to Google Workspace.
There are some less than ideal workarounds available, such as disabling 2FA for the entire organizational unit. This is far from perfect and can, even briefly, compromise the security of your Google Workspace. Slightly more secure of an option would be to create an additional organization unit or subunit that has 2FA disabled. Upon proper 2FA setup, you could then move the new user to the main organization unit.
Fortunately, Google has introduced some additional 2-factor verification settings to Google Workspace to help ease the new user onboarding process,
Within your Google Workspace Admin, navigate to Security then Authentication then 2-step verification. From there, you should see the settings for 2FA. Within that, a setting to allow you to set the New user enrollment period for new users.
You can set the enrollment grace period to whatever you’d like. I personally would opt for a shorter amount of time. For security’s sake, setting up 2FA/MFA should be the first thing that any new user does. Even if the platform makes it difficult, or you get in your own way.