Cloud Identity: Bridge Between Admin and Cloud Console

Every Google Workspace admin eventually hits the same wall. You have forty users managed neatly in the Admin Console at admin.google.com. Your development team then spins up a project in the Cloud Console at console.cloud.google.com. Suddenly there are two separate systems that both need to know who your people are, what they can access, and whether their devices are trustworthy. You start creating accounts in one console, granting permissions in another, and wondering why there is no single place that ties everything together.

There is. It is called Cloud Identity, and it is the layer most Australian SMB admins have been using without realising it. Cloud Identity is the identity and access management service that underpins both Google Workspace and Google Cloud Platform. It is the reason a user you create in the Admin Console can immediately sign into a GCP project, and the reason a security policy you enforce in one place can follow that user across Google's entire ecosystem.

If you have ever asked why identity management seems scattered across two consoles, Cloud Identity is the answer -- and understanding it properly will change how you think about your organisation's security posture.

What this post covers:
- What Cloud Identity is and why it matters for your business
- The difference between Free and Premium tiers
- How Cloud Identity connects Workspace and GCP under a single identity layer
- Step-by-step guidance for setting up Cloud Identity
- Device management and single sign-on (SSO) capabilities
- Practical recommendations for Australian SMBs

What Cloud Identity Actually Is

Cloud Identity is Google's standalone Identity as a Service (IDaaS) product. It provides user and group management, device management, security policies, and single sign-on -- all without requiring a Google Workspace subscription. If you already have Google Workspace, Cloud Identity is baked into your licence. Every Workspace user is, under the hood, a Cloud Identity user.

The simplest way to understand it: Cloud Identity is the directory. Google Workspace is the productivity suite. Google Cloud Platform is the infrastructure suite. Cloud Identity sits beneath both of them, providing the shared foundation of "who is this person, and what are they allowed to do?"

This matters for three practical reasons:

1. Unified user directory. When you add a user in the Admin Console, that user exists in Cloud Identity. They can immediately authenticate to GCP, third-party SaaS apps via SAML SSO, and any service that supports Google as an identity provider. You are not maintaining separate user databases.
2. Consistent security policies. Password requirements, 2-Step Verification enforcement, and session management policies set in Cloud Identity apply everywhere that identity is used -- Workspace apps, Cloud Console, and federated applications.
3. Centralised device management. Endpoint verification and mobile device policies configured through Cloud Identity apply regardless of which Google service the device is accessing. A compromised phone is a compromised phone whether the user is opening Gmail or accessing a Cloud Storage bucket.

For Australian businesses operating under the Privacy Act 1988 and following the Australian Cyber Security Centre's Essential Eight, Cloud Identity is the mechanism that lets you implement "restrict administrative privileges" and "multi-factor authentication" across your entire Google footprint from a single point of control.

Cloud Identity Free vs Premium: What You Actually Get

Google offers Cloud Identity in two tiers. The naming is straightforward, but the capabilities differ meaningfully.

Cloud Identity Free

Cloud Identity Free is designed for organisations that need identity management without Google Workspace's productivity apps. It is commonly used for:

• GCP-only users. Developers or contractors who need to access Google Cloud resources but do not need Gmail, Drive, or other Workspace apps. Instead of paying for a full Workspace licence, you assign them a Cloud Identity Free licence.
• Non-employee accounts. Vendors, partners, or external collaborators who need a managed Google identity within your organisation's domain but do not require Workspace tools.
• Extending your directory. Organisations already using Workspace that have users who only need authentication -- no email, no Drive, no Calendar.

Cloud Identity Free includes:
- User and group management
- Basic device management (endpoint verification)
- 2-Step Verification enforcement
- SAML-based SSO for third-party apps
- Basic security and audit reporting
- Up to 50 Cloud Identity Free users per organisation (though this can be increased by contacting Google)

Cloud Identity Premium

Cloud Identity Premium adds enterprise-grade security and management features. It costs approximately AUD $10.80 per user per month (pricing varies; check current rates). The premium tier includes everything in Free plus:

• Advanced mobile device management. Full MDM capabilities including remote wipe, device approval, app management, and granular policy controls for Android and iOS devices.
• Context-aware access. Policies that evaluate device posture, IP address, geographic location, and other signals before granting access. This is the same capability available in Google Workspace Enterprise editions.
• Security posture management. Automated assessment and recommendations for your organisation's security configuration.
• App management. Control which apps users can install on managed devices, push apps to devices remotely, and manage app configurations.
• BeyondCorp Enterprise integration. Zero-trust access controls for applications and resources based on user identity and device state, without requiring a VPN.
• Enterprise audit logging. Detailed logs of admin actions, user sign-ins, device events, and security alerts with extended retention.

Which Tier Do You Need?

For a typical 30-person Australian SMB already using Google Workspace, the Workspace licence includes Cloud Identity features appropriate for most use cases. You would use Cloud Identity Free for additional users who do not need Workspace apps -- contractors accessing GCP, for instance.

Cloud Identity Premium becomes relevant when you need advanced device management for a mobile workforce, context-aware access controls beyond what your Workspace plan provides, or when you are managing a large number of non-Workspace users who still require enterprise-level security controls.

How Cloud Identity Connects Workspace and GCP

This is the part that resolves the confusion most admins experience. When you set up Google Workspace, Google automatically creates an organisation resource (sometimes called the organisation node) tied to your verified domain. This organisation resource exists in Google Cloud's Resource Manager and serves as the root of your resource hierarchy.

Here is how the pieces fit together:

The Identity Layer

Every user in your Admin Console exists in Cloud Identity. This identity follows them into the Cloud Console. When your developer signs into console.cloud.google.com, Google does not ask them to create a separate account. They use the same credentials managed through your Admin Console, subject to the same password policy and 2-Step Verification requirement.

This is not a sync or a replication. It is the same identity. The Admin Console is simply a management interface for the Cloud Identity directory. When you look at it this way, the Admin Console is not "the Workspace management tool" -- it is "the Cloud Identity management tool that also configures Workspace apps."

The Organisation Resource

Your organisation resource is the container that links your Cloud Identity directory to your GCP resource hierarchy. It provides:

• Organisation-level IAM policies. Permissions granted at the organisation level cascade down to all projects and resources within it.
• Organisation policies. Constraints like "restrict which regions VMs can be deployed to" or "require all Cloud Storage buckets to have uniform access" apply across every GCP project in your organisation.
• Centralised visibility. Security Command Center, Asset Inventory, and billing reports can aggregate data across all projects under the organisation resource.

Without Cloud Identity, a GCP project is an orphan -- it belongs to an individual Google account with no organisational governance. With Cloud Identity, every project exists within a structure you control.

Practical Example

Consider an Australian accounting firm with 25 staff:

1. Workspace users (25). Managed in the Admin Console. They use Gmail, Drive, Calendar, and Meet daily. Each has a Cloud Identity behind their Workspace licence.
2. GCP project for a client portal (3 developers). The three developers are among the 25 Workspace users. You grant them IAM roles (like Editor or Viewer) on the GCP project through the Cloud Console. They sign in with the same identity.
3. External contractor (1). A freelance developer needs GCP access but not Workspace apps. You create a Cloud Identity Free account for them in the Admin Console. They can sign into the Cloud Console with your organisation's domain credentials, subject to your security policies, without consuming a Workspace licence.
4. Security policies. You enforce 2-Step Verification in the Admin Console. It applies to all 26 users -- the 25 Workspace users and the contractor -- across Gmail, Drive, the Cloud Console, and any SAML-configured third-party apps.

This is the bridge. One directory, one set of security policies, one audit trail, applied consistently across two management consoles and every service connected to them.

Setting Up Cloud Identity

If you already have Google Workspace, Cloud Identity is active. Your users are Cloud Identity users. Your organisation resource exists. There is no separate setup required.

If you need to add Cloud Identity Free users alongside your Workspace users, here is the process:

Step 1: Verify Cloud Identity Licence Availability

1. Sign into the Admin Console at admin.google.com.
2. Navigate to Billing > Subscriptions.
3. Check whether Cloud Identity Free appears as an available subscription. If it does not, you can add it by clicking Get more services or visiting the Google Cloud Identity sign-up page.

Step 2: Create a Cloud Identity Free User

1. In the Admin Console, go to Directory > Users.
2. Click Add new user.
3. Fill in the user's name and email address on your domain.
4. Under licence assignment, select Cloud Identity Free instead of your Workspace plan.
5. The user will receive their credentials and can sign in to services like the Cloud Console, but will not have access to Gmail, Drive, or other Workspace productivity apps.

Step 3: Apply Security Policies

Cloud Identity users are subject to the same security settings as Workspace users. Verify that your policies are appropriate:

1. 2-Step Verification. Go to Security > Authentication > 2-Step Verification. Ensure it is enforced for the organisational unit or group containing your Cloud Identity users.
2. Password requirements. Go to Security > Authentication > Password management. Set minimum length and complexity requirements.
3. Session management. Go to Security > Google session control. Configure session duration and re-authentication intervals.

Step 4: Grant GCP Access

1. Open the Cloud Console at console.cloud.google.com.
2. Navigate to IAM & Admin > IAM within the relevant project.
3. Click Grant Access.
4. Enter the Cloud Identity user's email address.
5. Assign the appropriate IAM role (Viewer, Editor, or a custom role following the principle of least privilege).

The user can now sign into the Cloud Console with their organisation credentials, governed by your security policies, and access the GCP resources you have authorised.

Device Management and SSO

Two of Cloud Identity's most valuable capabilities for Australian SMBs are device management and single sign-on. Both reduce the administrative burden of managing a distributed workforce while strengthening your security posture.

Device Management

Cloud Identity provides device management that spans the full range of endpoints your staff use:

Basic endpoint verification (Free tier):
- Verifies that a device accessing your organisation's data has a screen lock enabled
- Reports the operating system, device type, and last sync time
- Allows you to sign a user out of a device remotely
- Provides a device inventory visible in the Admin Console under Devices > Mobile and endpoints

Advanced MDM (Premium tier):
- Enforces device encryption
- Requires minimum operating system versions
- Blocks jailbroken or rooted devices
- Remotely wipes corporate data (or the entire device) if it is lost or stolen
- Controls app installation on managed devices
- Pushes Wi-Fi and VPN configurations to devices

For an Australian SMB with staff working from home, from client sites, or while travelling, device management through Cloud Identity means you do not need a separate MDM product. The same Admin Console where you manage users and security policies also manages the devices those users carry.

Under the Australian Privacy Act 1988, organisations that experience a data breach through a lost or stolen device must notify affected individuals and the Office of the Australian Information Commissioner if the breach is likely to result in serious harm. Remote wipe capability through Cloud Identity Premium is a direct mitigation for this risk.

Single Sign-On (SSO)

Cloud Identity supports SAML 2.0-based single sign-on, which means your users can authenticate to third-party applications using their Google identity. Instead of maintaining separate usernames and passwords for Slack, Atlassian, Salesforce, or Xero, your staff sign in once with their Google credentials and access everything.

Setting up SSO for a third-party app:

1. In the Admin Console, go to Apps > Web and mobile apps.
2. Click Add app > Search for apps or Add custom SAML app.
3. For pre-integrated apps (Google maintains a catalogue of hundreds), select the app and follow the guided setup.
4. For custom SAML apps, you will need the app's ACS URL, Entity ID, and attribute mappings. Enter these in the configuration wizard.
5. Assign the app to the appropriate organisational units or groups.
6. Users in those OUs or groups will see the app in their Google Apps launcher and can sign in without separate credentials.

Why SSO matters for Australian SMBs:

• Reduced password fatigue. Fewer passwords means fewer weak passwords, fewer password reuse incidents, and fewer support tickets for "I forgot my login."
• Centralised offboarding. When an employee leaves, suspending their Cloud Identity account immediately revokes access to every SSO-connected application. No need to remember to deactivate accounts in five different SaaS tools.
• Audit trail. All SSO authentication events are logged in the Admin Console, providing a single view of who accessed which applications and when.
• Compliance alignment. The Essential Eight's "restrict administrative privileges" principle is easier to implement when access to all applications flows through a single identity provider you control.

Affiliate & Partner Programs

If you are evaluating Google services for your organisation or advising clients on identity management and cloud strategy, the following programs are worth exploring:

• Google Workspace Referral Program: If you are recommending Google Workspace to other businesses -- and you should be, given how tightly it integrates with Cloud Identity and GCP -- the referral program rewards you for every successful sign-up. This is particularly relevant for IT consultants and managed service providers advising Australian SMBs. Generate your referral link at https://referworkspace.app.goo.gl/
• Google Cloud Partner Program: For IT firms looking to build a practice around Google Cloud, the Partner Program provides access to technical training, certification support, go-to-market resources, and co-selling opportunities. If your clients are starting to use GCP alongside Workspace, becoming a Google Cloud Partner positions you as a trusted advisor who understands both sides of the bridge. Learn more at https://cloud.google.com/partners
• Cloud Identity Free Tier: If you have contractors or external collaborators who need managed access to GCP resources without a Workspace licence, Cloud Identity Free is the cost-effective solution. You get identity management, 2-Step Verification, and basic device management at no charge. It is the practical first step for extending your security perimeter beyond your core team.

Bringing It All Together

Cloud Identity is not a separate product you need to go out and buy. If you are running Google Workspace, you are already running it. The Admin Console at admin.google.com is your interface for managing Cloud Identity users, security policies, and device controls. The Cloud Console at console.cloud.google.com consumes those identities when granting access to GCP resources. Cloud Identity is the thread that connects the two.

For Australian SMBs, the practical takeaways are straightforward:

1. You already have a unified identity layer. Every Workspace user is a Cloud Identity user. You do not need to create separate accounts for GCP access.
2. Use Cloud Identity Free for non-Workspace users. Contractors, developers, and partners who need GCP access but not productivity apps should get a Cloud Identity Free licence instead of a full Workspace seat.
3. Your security policies apply everywhere. 2-Step Verification, password requirements, and session controls set in the Admin Console follow users into the Cloud Console and SSO-connected apps.
4. Device management is built in. You do not need a separate MDM tool for basic endpoint verification. If you need advanced controls, Cloud Identity Premium provides them at a fraction of the cost of standalone MDM solutions.
5. SSO simplifies your security posture. Fewer passwords, centralised offboarding, and a unified audit trail make compliance with the Privacy Act and Essential Eight measurably easier.

The next time you find yourself switching between the Admin Console and the Cloud Console, wondering how they relate, remember: Cloud Identity is the bridge. It is the shared foundation that makes one Google identity work across every Google service -- and beyond. Understanding that bridge is the first step toward managing your organisation's cloud footprint as a single, coherent system rather than a collection of disconnected tools.

Need help setting up Cloud Identity or connecting your Workspace and GCP environments? Contact our team for a free consultation.