Google Workspace can be one of the first connections you make at Drata. Connecting Google Workspace to Drata, you are simplifying your compliance monitoring process. After the connection is made, personnel can log into Drata to complete tasks and Drata enables monitoring tests to automate keeping track of certain processes.
Choose the correct setup process
Drata supports two ways to connect Google Workspace, depending on how your organization manages admin access. Review the scenarios below to determine which setup process applies to you.
OAuth-based access: If your organization can assign the following Google roles to user accounts, you can set up the connection using OAuth-based access scoped to those roles:
User Management Administrator
Group Reader
Super Admin access: If your organization relies on a super admin, you can use the traditional service account method, which requires setting up domain-wide delegation.
Note: For either process, if the email domain used to sign in to Drata does not match your Google Workspace domain, contact Drata Support to enable personnel syncing.
Option 1: OAuth-based access
This setup uses OAuth 2.0 and a user’s assigned admin roles to authorize Drata to access read-only directory data (users, groups, org units, and domains). This approach is recommended for easier setup and least-privilege access.
Prerequisites
You must sign in with a Google Workspace admin account to authorize the connection.
The user authorizing the connection must have the following roles assigned in Google Workspace:
User Management Administrator
Group Reader
Optional: Custom role
Instead of the predefined roles, you may utilize a custom role. It must include the following privileges:
user.read
group.read
organizational.read
domain settings
Step 1: Verify Roles in Google Admin
Sign in to the Google Admin console.
Go to Directory > Users.
Select the user who signs into and connects Drata.
Confirm that the user has the following roles assigned to them. You can verify this within Google's Admin roles and privileges section.
User Management Administrator
Group Reader
If the user has a custom role, ensure they have the
user.read
group.read
organizational.read
domain settings
Step 2: Enable the Google Workspace Connection in Drata
In Drata, go to Connections from the side navigation.
Select the Available connections tab.
Search for Google Workspace, and select it under the Identity category.
Select Connect to open the connection drawer.
Option 2: Super Admin access
This setup uses a Google Workspace super admin account and domain-wide delegation to grant Drata access via a service account. This is a more traditional setup and provides persistent access across all users.
Prerequisites
Access to a Google Workspace super admin account
Permission to configure domain-wide delegation in the Google Admin console
Step 1: Set Up Domain-Wide Delegation
Sign in to the Google Admin console using a super admin account.
Go to Security > Access and data control > API controls.
Scroll to Domain wide delegation and select Manage Domain Wide Delegation.
Select Add New.
Drata Autopilot client ID: Copy and paste the client ID (
118095967747130880411
) into the Client ID field in Google. Google uses the client ID to verify if the client is registered within the Google workspace account.Leave the Overwrite existing client ID checkbox un-checked.
Google Read Only Scopes: Copy and paste the following scopes into the OAuth Scopes field in Google. These give permission for Drata to sync users, groups that the users belong to, and the organization a project belongs to. Learn more about setting scopes through domain-wide delegation at Create access credentials and Control API access with domain-wide delegation.
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
Leave the Overwrite existing client ID box unchecked.
Select Authorize.
Step 2: Connect Google Workspace in Drata
In Drata, go to Connections, then select Google Workspace under the Identity category.
In the connection drawer, enter the email address of the super admin used in the previous step.
Select Save & Test Connection.
If the test is successful, you’ll be redirected to the Details tab in Drata to complete setup.
Select who to sync into Drata
Note: There might be some synchronization time depending on the amount of personnel being synced.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, scroll down to the Results section.
Within the Results section, you have the option to select which domains to sync into Drata.
You can either sync one email domain or all domains.
Sync only email domain: If you selected only one email domain to be synced that means individuals within your Google Workspace that has the same email domain are only synced.
Sync all domains: If you selected all domains that means all individuals within your Google Workspace are synced into Drata.
In the next steps, you can select specific groups of personnel or all personnel.
Specific group: Within the Google Workspace, if the specific group has nested groups, the individuals of the top level group are synced. The individuals from the nested groups are not synced.
All personnel: Individuals with the same email domain are synced.
After making all your changes, make sure to select Confirm to save and implement your changes.
Update the personnel you would like to sync
You can always go and update the personnel you would like to sync.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, select the Setup tab and Update connection to update any previous selections.
Troubleshoot
Before troubleshooting, ensure that you have configured and add all of the google read only scopes into your OAuth Scopes fields in your Google Workspace account.
Resolve domain mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve domain mismatch header is displayed, that could mean either your setup configuration has errors or that the email domain you signed into Drata does not match the email domain of the Google Workspace super admin account.
You can either update the setup configuration or reach out to the technical support team.
Resolve user name mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve user name mismatch header is displayed, that could mean we found one or more admins within Drata that could not be matched with the individuals from your Google Workspace. This could mean that the listed personnel do not have access to Drata at the moment.
Select the Resolve button to select the admin’s primary email account. An email notification is sent to that personnel notifying that their email was updated. After resolving the admin’s email, select Continue. Any admins that aren’t resolved will lose access to Drata if you continue.
Monitoring tests covered
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts