The Google Workspace integration allows security and compliance teams to automate identity management and personnel syncing between Google Workspace and Drata. Connecting Drata to Google Workspace centralizes user identity data, verifies compliance controls, and supports access monitoring across your organization.
Key Capabilities
Automated Identity Sync: Sync user, group, organizational unit, and domain data from Google Workspace to Drata for continuous identity monitoring and compliance testing.
Flexible Connection Methods: Choose between OAuth-based access (recommended) or Super Admin access using domain-wide delegation, depending on your organization’s admin model.
Compliance Monitoring: Automate identity-related tests, including:
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts
Prerequisites & Data Access
You must have one of the following Drata roles: Admin, Information Security Lead, DevOps Engineer, or Workspace Manager.
You’ll need either:
OAuth-based access: Use assigned Google roles for read-only authorization (recommended).
Super Admin access: Use a Google Workspace Super Admin account with domain-wide delegation.
If your Drata login email domain differs from your Google Workspace domain, contact Drata Support to enable personnel syncing.
Setup Options Overview
Drata supports two ways to connect Google Workspace, depending on how your organization manages admin access.
Review the scenarios below to determine which setup process applies to you.
OAuth-based access: If your organization can assign the following Google roles to user accounts, you can set up the connection using OAuth-based access scoped to those roles:
User Management Administrator
Group Reader
Super Admin access: If your organization relies on a super admin, you can use the traditional service account method, which requires setting up domain-wide delegation.
Note: For either process, if the email domain used to sign in to Drata does not match your Google Workspace domain, contact Drata Support to enable personnel syncing.
Option 1: OAuth-based access
This setup uses OAuth 2.0 and a user’s assigned admin roles to authorize Drata to access read-only directory data (users, groups, org units, and domains). This is the recommended approach for easier setup and least-privilege access.
Prerequisites
You must sign in with a Google Workspace admin account to authorize the connection.
The user authorizing the connection must have the following roles assigned in Google Workspace:
User Management Administrator
Group Reader
Optional: Custom role
Instead of the predefined roles, you may utilize a custom role. It must include the following privileges:
user.readgroup.readorganizational.readdomain settings
Step 1: Verify Roles in Google Admin
Sign in to the Google Admin console.
Go to Directory > Users.
Select the user who signs into and connects Drata.
Confirm that the user has the following roles assigned to them. You can verify this within Google's Admin roles and privileges section.
User Management Administrator
Group Reader
If the user has a custom role, ensure they have the
user.readgroup.readorganizational.readdomain settings
Step 2: Enable the Google Workspace Connection in Drata
In Drata, go to Connections from the side navigation.
Select the Available connections tab.
Search for Google Workspace, and select it under the Identity category.
Select Connect to open the connection drawer.
Step 3: Permissions Requested During OAuth Connection
When authorizing, Google presents the permissions requested by Drata. All are read-only and used solely for syncing identity and domain data.
Here’s what each permission means and why it’s requested:
Permission | Access Request | Benefit |
View delegated admin roles for your domain | Read data from users used in the Identity sync process. | Drata displays and persists the data on the Personnel page. |
View domains related to your customers | Enable Drata to read verified domains in your Google Workspace account. | Drata uses this to support domain-based personnel filtering. |
View organization units on your domain | Enable Drata to read OrgUnit assignments in your Google Workspace. | Drata uses this to support OrgUnit-based personnel filtering. |
View groups on your domain | Enable Drata to read group membership data in your Google Workspace. | Drata uses this to support group-based personnel filtering. |
More context: View domains related to your customers
Google’s API uses the term “customers” to describe both internal admins and external organizations. In Drata’s case, this permission only applies to your verified Workspace domains, not external accounts.
Drata uses this permission exclusively to:
Identify and sync domains linked to your Workspace account.
Support accurate user and identity mapping for compliance.
This permission is read-only; Drata does not modify your domain configuration. For more information, view the Google API documentation.
Option 2: Super Admin access
This setup uses a Google Workspace super admin account and domain-wide delegation to grant Drata access via a service account. This is a more traditional setup and provides persistent access across all users.
Prerequisites
Access to a Google Workspace super admin account
Permission to configure domain-wide delegation in the Google Admin console
Step 1: Set Up Domain-Wide Delegation
Sign in to the Google Admin console using a super admin account.
Go to Security > Access and data control > API controls.
Scroll to Domain wide delegation and select Manage Domain Wide Delegation.
Select Add New.
Drata Autopilot client ID: Copy and paste the client ID (
118095967747130880411) into the Client ID field in Google. Google uses the client ID to verify if the client is registered within the Google workspace account.Leave the Overwrite existing client ID checkbox un-checked.
Google Read Only Scopes: Copy and paste the following scopes into the OAuth Scopes field in Google. These give permission for Drata to sync users, groups that the users belong to, and the organization a project belongs to. Learn more about setting scopes through domain-wide delegation at Create access credentials and Control API access with domain-wide delegation.
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.orgunit.readonlyhttps://www.googleapis.com/auth/admin.directory.domain.readonly
Leave the Overwrite existing client ID box unchecked.
Select Authorize.
Step 2: Connect Google Workspace in Drata
In Drata, go to Connections, then select Google Workspace under the Identity category.
In the connection drawer, enter the email address of the super admin used in the previous step.
Select Save & Test Connection.
If the test is successful, you’ll be redirected to the Details tab in Drata to complete setup.
Select who to sync into Drata
Note: There might be some synchronization time depending on the amount of personnel being synced.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, scroll down to the Results section.
Within the Results section, you have the option to select which domains to sync into Drata.
You can either sync one email domain or all domains.
Sync only email domain: If you selected only one email domain to be synced that means individuals within your Google Workspace that has the same email domain are only synced.
Sync all domains: If you selected all domains that means all individuals within your Google Workspace are synced into Drata.
In the next steps, you can select specific groups of personnel or all personnel.
Specific group: Within the Google Workspace, if the specific group has nested groups, the individuals of the top level group are synced. The individuals from the nested groups are not synced.
All personnel: Individuals with the same email domain are synced.
After making all your changes, make sure to select Confirm to save and implement your changes.
Update the personnel you would like to sync
You can always go and update the personnel you would like to sync.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, select the Setup tab and Update connection to update any previous selections.
Troubleshoot
Before troubleshooting, ensure that you have configured and add all of the google read only scopes into your OAuth Scopes fields in your Google Workspace account.
Resolve domain mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve domain mismatch header is displayed, that could mean either your setup configuration has errors or that the email domain you signed into Drata does not match the email domain of the Google Workspace super admin account.
You can either update the setup configuration or reach out to the technical support team.
Resolve user name mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve user name mismatch header is displayed, that could mean we found one or more admins within Drata that could not be matched with the individuals from your Google Workspace. This could mean that the listed personnel do not have access to Drata at the moment.
Select the Resolve button to select the admin’s primary email account. An email notification is sent to that personnel notifying that their email was updated. After resolving the admin’s email, select Continue. Any admins that aren’t resolved will lose access to Drata if you continue.
Monitoring tests covered
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts