To connect a Google Workspace Gmail mailbox over IMAP with a migration tool, an older mail client, or software that does not handle Google authentication properly, you often need an app password. This password is only available if 2-Step Verification is enabled on the account.
Key point
A Google Workspace administrator cannot generate an app password on behalf of a user. The admin can manage security policies, check the 2-Step Verification status, allow or block IMAP, and revoke existing app passwords, but the code must be created from the user account itself.
What is a Google app password?
An app password is a code generated by Google to allow a specific application to access the account. It replaces the usual account password in software that only asks for a username and password, for example over IMAP or SMTP.
This is not the preferred method for modern applications: whenever possible, use Google sign-in with OAuth. App passwords remain useful for some migration tools, IMAP scripts, scanners, multifunction printers, and older mail clients.
Prerequisites before you start
- 2-Step Verification must be enabled on the Google Workspace account.
- IMAP access must be allowed by the Google Workspace administrator and enabled in Gmail if required.
- The account must not be under Advanced Protection or restricted to 2-Step Verification using only security keys.
If the "App passwords" menu does not appear
The most common causes are: 2-Step Verification is not enabled yet, the organization blocks this option, the account uses Advanced Protection, or the allowed 2FA method is too restrictive.
Step 1: enable 2-Step Verification
From the relevant user account:
- Open myaccount.google.com/security
- Sign in with the relevant Google Workspace address
- In the How you sign in to Google section, click 2-Step Verification
- Follow the wizard to configure a verification method: Google Authenticator, Google prompt, SMS, or another method allowed by the organization
- Finish the setup and check that 2-Step Verification is shown as active
If the organization already enforces 2-Step Verification, this step may already be done. In that case, go directly to app password generation.
Step 2: generate the app password
Open app passwords directly
Open myaccount.google.com/apppasswords with the relevant Google Workspace account.
Use the manual path if needed
If the direct link does not work, open myaccount.google.com/security, then in How you sign in to Google, click App passwords. Google may ask for the account password again.
Name the access
Use a clear name, for example IMAP migration, Thunderbird, Outlook, or Imapsync.
Generate and copy the code
Click Create or Generate, then copy the password displayed by Google. It is usually a 16-character code.
Tip
Copy the password immediately into your tool or password manager. Google will not display it again. If you lose it, revoke the old access and generate a new one.
Gmail IMAP and SMTP settings
In your mail client or migration tool, use the full email address as the username and the app password as the password.
| Setting | Value |
|---|---|
| IMAP server | imap.gmail.com |
| IMAP port | 993 |
| IMAP security | SSL/TLS |
| SMTP server | smtp.gmail.com |
| SMTP port | 465 with SSL/TLS or 587 with STARTTLS |
| Username | Full email address |
| Password | App password generated by Google |
Enable IMAP in Gmail
Depending on the domain configuration, the user may also need to enable IMAP in Gmail:
- Open Gmail with the relevant account
- Click the Settings icon, then See all settings
- Go to the Forwarding and POP/IMAP tab
- In the IMAP access section, select Enable IMAP
- Click Save changes
If the option is disabled or missing, IMAP access is probably blocked by an administrator rule.
What the Google Workspace administrator can do
Allow or block IMAP access
In the Google Admin console, the administrator can manage POP/IMAP access for the organization or for specific organizational units. The path can change, but it is usually under:
Google Admin console → Apps → Google Workspace → Gmail → End User Access → POP and IMAP access
Manage 2-Step Verification
The administrator can enforce 2-Step Verification, define which methods are allowed, and check whether a user has enabled it. However, the final activation is still tied to the user account because it requires a personal second-factor method.
View and revoke app passwords
For security reasons, the administrator can view the app passwords created on an account and revoke them if a device is lost, a migration is complete, or an access looks suspicious. The admin cannot retrieve the password in plain text or create a usable one on behalf of the user.
| Action | User | Administrator |
|---|---|---|
| Enable their own 2-Step Verification | Yes | Can enforce it or check the status |
| Create an app password | Yes | No, not on behalf of the user |
| Allow or block IMAP for the organization | No | Yes |
| Revoke an app password | Yes, for their own account | Yes, from the user's security settings |
Security best practices
- Create one password per use case - One for the migration, one for Thunderbird, one for a specific device.
- Name each access clearly - This makes audits and revocation easier.
- Revoke after use - Delete the app password as soon as an IMAP migration is complete.
- Never share the code by email - Use a password manager or a secure channel.
- Watch Google security alerts - An unusual IMAP connection can trigger security notifications.
Quick troubleshooting
The password is rejected
The software shows "incorrect password" or refuses the IMAP connection.
Solution
Check that you are using the app password, without added spaces, and that the username is the full email address.
The menu does not exist
You do not see "App passwords" in the Google account.
Solution
Enable 2-Step Verification first. If it is already active, ask the administrator to check the domain security rules and IMAP access.
Conclusion
To access a Google Workspace Gmail mailbox over IMAP with a traditional password flow, the sequence is: enable 2-Step Verification, then generate an app password from the user account. The administrator can prepare the environment and revoke access, but cannot create these passwords in bulk for all accounts.
In an email migration context, plan this step ahead with each relevant user. It prevents last-minute blockers when connecting the IMAP tool.
Ready to migrate to Infomaniak?
Contact us for a free 15-minute audit. We will analyze your situation and provide you with a personalized quote.
Request a free audit