Skip to main content
Solved

Correct contact point for reporting unauthorized Google Workspace admin actions by an external party

  • January 19, 2026
  • 2 replies
  • 26 views
Quynah

I’m looking for guidance on the appropriate contact point within Google for reporting and following up on unauthorized administrative actions performed by an external party with (current or former) Google Workspace admin access.

More specifically, I’m trying to understand:

  • Which Google team or function is responsible for handling this type of incident (e.g. Workspace Support, Trust & Safety, Abuse, Partner oversight, etc.)?

  • Through which channel (ticket type, form, or email) such reports should be submitted to ensure proper review and ownership?

  • Whether there is a defined process for incidents involving actions performed through the Google Workspace Admin Console by a third party?

  • What kind of information or audit logs are typically expected to support an investigation?

My goal is to avoid being redirected between multiple teams and to engage the correct channel from the start.

Any guidance or direction would be greatly appreciated. Thank you.

Best answer by matthewnichols

Hi ​@Quynah Thanks for your post and sorry to hear you’re running into this. However, this is the Security Operations forum you’re posting in. We do not manage or support workspace issues. 

 

Here is some information that might be helpful. I suggest you try these avenues to help get answers to your questions. 

 

If you can still log in, your first priority is to revoke access and audit the damage.

  • Identify & Secure Compromised Accounts: This is the "official" checklist for cleaning up after an unauthorized admin. It covers suspending the user, resetting cookies, and checking for "backdoors" (like new filters or apps).

     

  • Admin Audit Log: Use this to see exactly what they did (e.g., changed passwords, deleted users, or changed billing).

  • Remove Third-Party App Access: Often, former admins leave a "bridge" in via an OAuth app. Check here to revoke anything suspicious.

 

If the external party changed your password or recovery info, use these:

  • Google Workspace Admin Recovery Tool: This is the automated path to prove domain ownership via DNS (adding a CNAME or TXT record). It is the fastest way to bypass a rogue admin.

  • Report Abuse/Illegal Activity: If the former admin is actively sabotaging or engaging in illegal behavior using the account, use this specialized reporting tool.

 

If the automated recovery fails, you need to contact support.

  • Contact Google Workspace Support: If you can’t sign in, click "Try another way" on the sign-in page until you reach a contact form.

  • Support PIN Help: If you are talking to support and they ask for a PIN you don't have (because you're locked out), tell them you cannot access the Admin Console; they have a secondary verification process for these cases.

 

    2 replies

    Jyotimoyhaz
    Forum|alt.badge.img
    • JyotimoyhazBronze 1
    • Bronze 1
    • January 19, 2026

    IT cell may might be

    Jyotimoy Hazarika
    matthewnichols
    Community Manager
    Forum|alt.badge.img+17
    • matthewnicholsCommunity Manager
    • Community Manager
    • Answer
    • January 26, 2026

    Hi ​@Quynah Thanks for your post and sorry to hear you’re running into this. However, this is the Security Operations forum you’re posting in. We do not manage or support workspace issues. 

     

    Here is some information that might be helpful. I suggest you try these avenues to help get answers to your questions. 

     

    If you can still log in, your first priority is to revoke access and audit the damage.

    • Identify & Secure Compromised Accounts: This is the "official" checklist for cleaning up after an unauthorized admin. It covers suspending the user, resetting cookies, and checking for "backdoors" (like new filters or apps).

       

    • Admin Audit Log: Use this to see exactly what they did (e.g., changed passwords, deleted users, or changed billing).

    • Remove Third-Party App Access: Often, former admins leave a "bridge" in via an OAuth app. Check here to revoke anything suspicious.

     

    If the external party changed your password or recovery info, use these:

    • Google Workspace Admin Recovery Tool: This is the automated path to prove domain ownership via DNS (adding a CNAME or TXT record). It is the fastest way to bypass a rogue admin.

    • Report Abuse/Illegal Activity: If the former admin is actively sabotaging or engaging in illegal behavior using the account, use this specialized reporting tool.

     

    If the automated recovery fails, you need to contact support.

    • Contact Google Workspace Support: If you can’t sign in, click "Try another way" on the sign-in page until you reach a contact form.

    • Support PIN Help: If you are talking to support and they ask for a PIN you don't have (because you're locked out), tell them you cannot access the Admin Console; they have a secondary verification process for these cases.

     

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.