Skip to main content

Google Workspace Connection for Identity management

Connect to Google Workspace as an Identity type connection.

Updated over a month ago

Google Workspace can be one of the first connections you make at Drata. Connecting Google Workspace to Drata, you are simplifying your compliance monitoring process. After the connection is made, personnel can log into Drata to complete tasks and Drata enables monitoring tests to automate keeping track of certain processes.

Choose the correct setup process

Drata supports two ways to connect Google Workspace, depending on how your organization manages admin access. Review the scenarios below to determine which setup process applies to you.

  1. OAuth-based access: If your organization can assign the following Google roles to user accounts, you can set up the connection using OAuth-based access scoped to those roles:

    • User Management Administrator

    • Group Reader

  2. Super Admin access: If your organization relies on a super admin, you can use the traditional service account method, which requires setting up domain-wide delegation.

Note: For either process, if the email domain used to sign in to Drata does not match your Google Workspace domain, contact Drata Support to enable personnel syncing.

Option 1: OAuth-based access

This setup uses OAuth 2.0 and a user’s assigned admin roles to authorize Drata to access read-only directory data (users, groups, org units, and domains). This approach is recommended for easier setup and least-privilege access.

Prerequisites

  • You must sign in with a Google Workspace admin account to authorize the connection.

  • The user authorizing the connection must have the following roles assigned in Google Workspace:

    • User Management Administrator

    • Group Reader

Optional: Custom role

Instead of the predefined roles, you may utilize a custom role. It must include the following privileges:

  • user.read

  • group.read

  • organizational.read

  • domain settings

Step 1: Verify Roles in Google Admin

  1. Sign in to the Google Admin console.

  2. Go to Directory > Users.

  3. Select the user who signs into and connects Drata.

  4. Confirm that the user has the following roles assigned to them. You can verify this within Google's Admin roles and privileges section.

    • User Management Administrator

    • Group Reader

  5. If the user has a custom role, ensure they have the

    • user.read

    • group.read

    • organizational.read

    • domain settings

Step 2: Enable the Google Workspace Connection in Drata

  1. In Drata, go to Connections from the side navigation.

  2. Select the Available connections tab.

  3. Search for Google Workspace, and select it under the Identity category.

  4. Select Connect to open the connection drawer.

Option 2: Super Admin access

This setup uses a Google Workspace super admin account and domain-wide delegation to grant Drata access via a service account. This is a more traditional setup and provides persistent access across all users.

Prerequisites

  • Access to a Google Workspace super admin account

  • Permission to configure domain-wide delegation in the Google Admin console

Step 1: Set Up Domain-Wide Delegation

  1. Sign in to the Google Admin console using a super admin account.

  2. Go to Security > Access and data control > API controls.

  3. Scroll to Domain wide delegation and select Manage Domain Wide Delegation.

  4. Select Add New.

  5. Drata Autopilot client ID: Copy and paste the client ID (118095967747130880411) into the Client ID field in Google. Google uses the client ID to verify if the client is registered within the Google workspace account.

  6. Leave the Overwrite existing client ID checkbox un-checked.

  7. Google Read Only Scopes: Copy and paste the following scopes into the OAuth Scopes field in Google. These give permission for Drata to sync users, groups that the users belong to, and the organization a project belongs to. Learn more about setting scopes through domain-wide delegation at Create access credentials and Control API access with domain-wide delegation.

    • https://www.googleapis.com/auth/admin.directory.user.readonly

    • https://www.googleapis.com/auth/admin.directory.group.readonly

    • https://www.googleapis.com/auth/admin.directory.orgunit.readonly

    • https://www.googleapis.com/auth/admin.directory.domain.readonly

  8. Leave the Overwrite existing client ID box unchecked.

  9. Select Authorize.

Step 2: Connect Google Workspace in Drata

  1. In Drata, go to Connections, then select Google Workspace under the Identity category.

  2. In the connection drawer, enter the email address of the super admin used in the previous step.

  3. Select Save & Test Connection.

If the test is successful, you’ll be redirected to the Details tab in Drata to complete setup.

Select who to sync into Drata

Note: There might be some synchronization time depending on the amount of personnel being synced.

  1. Go to your Connection page and select your Google Workspace connection card.

  2. In the Google Workspace drawer, scroll down to the Results section.

  3. Within the Results section, you have the option to select which domains to sync into Drata.

You can either sync one email domain or all domains.

  • Sync only email domain: If you selected only one email domain to be synced that means individuals within your Google Workspace that has the same email domain are only synced.

  • Sync all domains: If you selected all domains that means all individuals within your Google Workspace are synced into Drata.

In the next steps, you can select specific groups of personnel or all personnel.

  • Specific group: Within the Google Workspace, if the specific group has nested groups, the individuals of the top level group are synced. The individuals from the nested groups are not synced.

  • All personnel: Individuals with the same email domain are synced.

After making all your changes, make sure to select Confirm to save and implement your changes.

Update the personnel you would like to sync

You can always go and update the personnel you would like to sync.

  1. Go to your Connection page and select your Google Workspace connection card.

  2. In the Google Workspace drawer, select the Setup tab and Update connection to update any previous selections.

Troubleshoot

Before troubleshooting, ensure that you have configured and add all of the google read only scopes into your OAuth Scopes fields in your Google Workspace account.

Resolve domain mismatch

Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve domain mismatch header is displayed, that could mean either your setup configuration has errors or that the email domain you signed into Drata does not match the email domain of the Google Workspace super admin account.

You can either update the setup configuration or reach out to the technical support team.

Resolve user name mismatch

Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve user name mismatch header is displayed, that could mean we found one or more admins within Drata that could not be matched with the individuals from your Google Workspace. This could mean that the listed personnel do not have access to Drata at the moment.

Select the Resolve button to select the admin’s primary email account. An email notification is sent to that personnel notifying that their email was updated. After resolving the admin’s email, select Continue. Any admins that aren’t resolved will lose access to Drata if you continue.

Monitoring tests covered

  • Test 86: MFA on Identity Provider

  • Test 96: Employees have Unique Email Accounts

Did this answer your question?