Skip to content

Setting Up Identity-Only Google Accounts with Email Forwarding

Many organizations need Google accounts for authentication only - for SSO, admin access, or identity management - without giving the user a full Google Workspace license. This guide walks through setting up identity-only accounts using Cloud Identity Free and forwarding any emails sent to these accounts to an admin or a desired email address.

1. Enable Cloud Identity Free

  1. Go to the Google Admin Console → Billing → Buy or Upgrade, find Cloud Identity Free under Google Cloud Management section.
  2. Click on Explore for Cloud Identity Free and add it to your organization.

This allows creation of users without consuming paid Google Workspace licenses.

2. Disable Automatic Workspace License Assignment

  1. Navigate to Billing → Subscriptions → Google Workspace. The name of the subscription may vary based on your Google Workspace plan.
  2. Under License settings section, click Manage licensing settings.
  3. Turn off Automatic licensing.
  4. Optionally you can turn off automatic licensing only for the organization unit in which you intend to create the new identity-only users.

This ensures new users only get access to Cloud Identity without a Google Workspace license (no Gmail, Drive, or Docs).

3. Create Identity-Only Users

  1. In Admin Console → Directory → Users → Add new user.
  2. Enter the user’s name and primary email (e.g., [email protected]).
  3. Save the user.
  4. Confirm in Licenses that only Cloud Identity Free is assigned.
  5. Optionally, assign admin roles without a paid Workspace license.

4. Catch Email Sent to Identity-Only Users

Because Cloud Identity Free users do not have Gmail, emails sent to their addresses will normally bounce. You can catch them by creating a Gmail default routing rule:

  1. Admin Console → Apps → Google Workspace → Gmail → Default routing.
  2. Add a Change envelope recipient that forwards emails sent to non-existent addresses to a different email account. You can choose to replace the recipient (with a completely different email address), or just the username, or just the domain.
  3. Save the rule.
  4. Emails to the identity-only-user address will arrive in the specified mailbox.

Recommended if you have multiple identity-only users and want fine-grained control.

5. Testing

  1. Send an email to one of the identity-only addresses.
  2. Verify it is received in the desired mailbox.
  3. Log in as the identity-only user via SSO.
    • Ensure authentication works.
    • Confirm no Gmail, Drive, or Docs access.

✅ Benefits

  • Zero-cost identity accounts for authentication only.
  • Centralized email handling for identity-only users.
  • Supports SSO and admin access without paying for a Workspace license.
  • Scalable for contractors, test accounts, or temporary employees.