Summary and recommendation
Google Gemini user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Google Gemini is no longer a standalone product for Workspace admins - as of March 17, 2025, it is bundled into every Google Workspace plan with no opt-out. Unlike every app that carries its own license toggle, Gemini access is determined entirely by which Workspace plan tier is assigned to a user's Organizational Unit (OU).
There is no separate Gemini license to assign or revoke.
Quick facts
| Admin console path | Admin console > Directory > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Workspace (Gemini included) |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Super Admin | Full control over all Google Workspace and Gemini settings, including enabling/disabling Gemini features per OU, managing all users, billing, and security policies | Cannot be restricted by other admins; only another Super Admin can modify Super Admin accounts | Any Google Workspace plan | Counts as a licensed Workspace seat | Super Admin accounts should use 2-step verification; compromised Super Admin access affects all Gemini and Workspace data |
| Delegated Admin (pre-built roles, e.g. User Management Admin, Groups Admin) | Scoped admin privileges such as creating/deleting users, managing groups, or resetting passwords; cannot change Gemini feature toggles unless assigned a role with Services privileges | Cannot manage billing, cannot enable/disable Gemini at the OU level unless explicitly granted Services Admin or a custom role with that privilege | Any Google Workspace plan | Counts as a licensed Workspace seat | Pre-built delegated admin roles do not include Gemini/AI feature management by default; a custom role or Super Admin action is required to grant that access |
| Custom Admin Role | Admin-defined privilege set; can include user management, group management, service settings (including Gemini toggles), reporting, and more | Cannot exceed Super Admin privileges; cannot grant privileges the assigning admin does not themselves hold | Any Google Workspace plan (custom roles are available across all tiers) | Counts as a licensed Workspace seat | Custom roles must explicitly include 'Services > Gemini' or equivalent service privileges to allow Gemini feature management |
| End User (standard licensed seat) | Access to Gemini features as enabled by admin for their Organizational Unit (OU); can use Gemini in Gmail, Docs, Sheets, Meet, etc. per plan tier | Cannot change Gemini availability for themselves or others; cannot access Admin console | Business Starter ($7/user/mo, limited Gemini - 5 prompts/day); Business Standard ($14/user/mo, full Gemini side panels); Enterprise ($25+/user/mo, full Gemini) | Included in Workspace seat price as of March 17, 2025 | Gemini feature availability varies by plan tier even within the same domain; Business Starter users get significantly fewer Gemini capabilities than Standard or Enterprise users |
Permission model
- Model type: hybrid
- Description: Google Workspace uses a combination of pre-built admin roles (Super Admin, User Management Admin, Groups Admin, Help Desk Admin, Services Admin, etc.) and fully custom admin roles. Gemini feature access for end users is controlled at the Organizational Unit (OU) or Group level by admins via the Admin console Services settings. End users have no permission configuration options.
- Custom roles: Yes
- Custom roles plan: Available on all Google Workspace plans
- Granularity: Admin privileges are granular at the service and OU level. Gemini can be enabled or disabled per OU or security group. Individual Gemini features (e.g., Gemini in Gmail vs. Gemini in Meet) can be toggled independently in some configurations.
How to add users
- Sign in to admin.google.com with a Super Admin or User Management Admin account
- Navigate to Directory > Users
- Click 'Add new user'
- Enter the user's first name, last name, and primary email address (username@yourdomain.com)
- Optionally set organizational unit, secondary email, phone, and other profile fields
- Choose whether to auto-generate a password or set one manually
- Click 'Add new user' to confirm
- The new user receives a welcome email with sign-in instructions
- Gemini features are automatically available to the new user based on the OU's Gemini settings and the account's Workspace plan tier
Required fields: First name, Last name, Primary email address (username portion; domain is fixed to verified domain)
Watch out for:
- New users are placed in the top-level OU by default unless manually assigned; Gemini feature availability depends on the OU's service settings
- Licenses are consumed immediately upon user creation and billing adjusts at the next billing cycle
- Business Starter users will have Gemini limited to 5 prompts/day; upgrading the plan or OU assignment does not change this without a plan-level change
- Email address must use a verified domain already associated with the Workspace account; external domains cannot be used
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Admin console > Directory > Users > 'Bulk update users' (download CSV template, populate, upload) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Available on all Workspace plans; SCIM provisioning is supported via Google Workspace's own SCIM endpoint (used by third-party IdPs connecting to Workspace as the identity provider) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Google Workspace supports both suspending (deactivating) a user and permanently deleting a user. Suspension immediately blocks sign-in and access to Gemini and all Workspace services while preserving the account, data, and license consumption. Permanent deletion removes the account and, after a recovery window of approximately 20 days, data becomes unrecoverable. Admins should transfer data before deletion.
- Sign in to admin.google.com
- Navigate to Directory > Users
- Locate the user by name or email
- Click the user's name to open their profile
- Click the three-dot menu (More options) and select 'Suspend user'
- Confirm the suspension
- The user is immediately blocked from signing in; their Gemini and Workspace access is revoked
- The suspended user's license seat continues to be billed until the account is deleted or the license is reassigned
| Data impact | Behavior |
|---|---|
| Owned records | Files owned by the user in Google Drive remain accessible to the admin and can be transferred to another user before or after deletion. After permanent deletion, data is recoverable for approximately 20 days via Admin console restore, then permanently lost. |
| Shared content | Shared files and documents remain accessible to collaborators after suspension. After permanent deletion, files owned solely by the deleted user are removed from shared views unless transferred beforehand. |
| Integrations | Third-party apps authorized by the user via OAuth lose access upon suspension or deletion. Gemini conversation history and generated content associated with the user account is not transferable. |
| License freed | Suspending a user does NOT free the license seat for billing purposes. Permanently deleting the user frees the seat, and billing adjusts at the next billing cycle. |
Watch out for:
- Suspended users still consume a paid license seat; deletion is required to stop billing for that seat
- Gemini conversation history and AI-generated outputs are tied to the individual user account and cannot be transferred to another user
- Admins have approximately 20 days after deletion to restore a user account and their data via Admin console; after that window, recovery is not possible
- Data transfer (Drive files, Calendar events) must be initiated before or during the deletion flow; it is not automatic
- If the user is the sole owner of shared Drive files, those files become inaccessible to collaborators after deletion unless ownership is transferred first
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Google Workspace Business Starter | Core Workspace apps + limited Gemini (approximately 5 AI prompts/day in select apps) | $7/user/month (as of March 17, 2025) |
| Google Workspace Business Standard | Core Workspace apps + full Gemini side panels in Gmail, Docs, Sheets, Slides, Meet; Gemini in Drive; higher usage limits | $14/user/month (as of March 17, 2025) |
| Google Workspace Business Plus | Core Workspace apps + full Gemini features + enhanced security and compliance tools | $22/user/month (as of March 17, 2025) |
| Google Workspace Enterprise (Starter, Standard, Plus) | Full Gemini features including Gemini Advanced capabilities, NotebookLM Plus, enhanced data protection, and enterprise security controls | $25+/user/month (custom pricing; contact Google Sales) |
- Where to check usage: Admin console > Reporting > Reports > Accounts (for user activity) or Admin console > Billing > Subscriptions (for seat counts and costs)
- How to identify unused seats: Admin console > Reporting > Reports > Apps usage activity report can show last login dates and Workspace app activity per user. Users with no recent activity can be identified for potential suspension or deletion. There is no native 'Gemini usage per user' report exposed in the standard Admin console as of early 2025; overall Gemini usage may appear in the Apps activity reports.
- Billing notes: As of March 17, 2025, Gemini is bundled into all Workspace plans with no opt-out option. Admins cannot purchase Workspace without Gemini or remove the Gemini component to reduce cost. Previously, Gemini was a $20–$30/user/month add-on. Suspended users continue to consume and be billed for their seat until the account is permanently deleted. Seat count changes (additions/deletions) are reflected in the next billing cycle.
The cost of manual management
Suspended users continue to consume a paid seat until the account is permanently deleted - suspension alone does not stop billing. Admins must also manually initiate data transfers before deletion, since Gemini conversation history cannot be transferred the way Drive files can. Without a consistent offboarding process, seat counts drift and audit exposure grows.
What IT admins are saying
The most consistent friction reported by Workspace admins centers on three areas. First, the forced Gemini bundling effective March 2025 introduced a roughly 17% price increase across all plans, with no mechanism to opt out for organizations that do not use AI features.
Second, per-user Gemini usage is not surfaced in the standard Admin console reporting, making it difficult to identify underutilized seats or justify plan tier decisions.
Third, the gap in Gemini capabilities between Business Starter (5 prompts/day) and Business Standard (full side panels) creates inconsistent user experiences across the same domain, which generates support noise.
Common complaints:
- Admins cannot opt out of the Gemini price increase bundled into Workspace plans effective March 2025; organizations that do not want or need Gemini AI features must still pay the increased price
- Gemini conversation history and AI-generated content cannot be transferred when offboarding a user, unlike Drive files
- No granular per-user Gemini usage reporting in the standard Admin console, making it difficult to identify underutilized Gemini seats
- Suspending a user does not free the license seat for billing; admins must permanently delete the account to stop being charged, which creates risk if offboarding is not carefully managed
- Gemini feature availability differs significantly between Business Starter (5 prompts/day) and Business Standard (full access), causing confusion when users on the same domain have different Gemini experiences
- Tied to Google Workspace ecosystem - Gemini cannot be managed or provisioned independently of Workspace
- No standalone SCIM for Gemini - provisioning must go through Google Workspace's own directory and SCIM endpoint
The decision
Every app in a mature SaaS stack eventually requires a decision about who controls access and at what granularity - for Gemini, that decision is made entirely at the OU level, not per user.
Admins who need to grant or restrict Gemini capabilities do so by moving users between OUs, not by toggling a per-user setting. Custom admin roles must explicitly include Services privileges to manage Gemini feature toggles at the OU level; pre-built delegated admin roles do not include this by default.
For organizations managing access at scale, the absence of native per-user Gemini reporting and the inability to decouple Gemini from Workspace billing are the two constraints most likely to affect operational decisions.
Bottom line
Google Gemini access is fully governed by Google Workspace plan tier and OU assignment - there is no independent Gemini provisioning layer.
Every app lifecycle action (add, move, suspend, delete) has a direct effect on Gemini access and billing, and the lack of per-user Gemini usage reporting means admins are largely operating without visibility into actual AI feature consumption.
Organizations that want granular control over Gemini access need to invest in OU structure design upfront, since that is the only native lever available.
Automate Google Gemini workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
