Google Workspace can be one of the first connections you make at Drata. Connecting Google Workspace to Drata, you are simplifying your compliance monitoring process. After the connection is made, personnel can log into Drata to complete tasks and Drata enables monitoring tests to automate keeping track of certain processes.
Prerequisites
Ensure you have Super Admin access to your company's Google Workspace account.
If you do not have Super Admin access, you can invite an individual who does. Go to our Connections page and select Identity under Types. Expand the notification message Setting up your identity provider connection to select on the link invite another admin. In the next steps, enter the required fields and an email invitation is sent out to them.
If the email domain you used to sign into Drata does not match your Google Workspace email domain, you will need to reach out to the technical support team in order to sync personnel.
Enable Google Workspace
Select Connections on the side navigation menu.
Select the Available connections tab, search for Google Workspace, and select Connect.
Ensure you selected the Google Workspace connection under the Identity type.
Follow the instructions on the connection drawer. On the connection drawer, select the copy button to easily copy the value.
Drata Autopilot client ID: Copy and paste the client ID (
118095967747130880411
) into the Client ID field in Google. Google uses the client ID to verify if the client is registered within the Google workspace account.Google Read Only Scopes: Copy and paste the following scopes into the OAuth Scopes field in Google. These give permission for Drata to sync users, groups that the users belong to, and the organization a project belongs to. Learn more about setting scopes through domain-wide delegation at Create access credentials and Control API access with domain-wide delegation.
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
Super-Admin Email: Enter the company’s google workspace email that has the super admin permission.
4. Select Save & Test Connection. If a successful test connection is made, you are redirected to the Details tab within the Google Workspace drawer. Scroll down to the Results section to complete any additional steps.
Select who to sync into Drata
Note: There might be some synchronization time depending on the amount of personnel being synced.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, scroll down to the Results section.
Within the Results section, you have the option to select which domains to sync into Drata.
You can either sync one email domain or all domains.
Sync only email domain: If you selected only one email domain to be synced that means individuals within your Google Workspace that has the same email domain are only synced.
Sync all domains: If you selected all domains that means all individuals within your Google Workspace are synced into Drata.
In the next steps, you can select specific groups of personnel or all personnel.
Specific group: Within the Google Workspace, if the specific group has nested groups, the individuals of the top level group are synced. The individuals from the nested groups are not synced.
All personnel: Individuals with the same email domain are synced.
After making all your changes, make sure to select Confirm to save and implement your changes.
Update the personnel you would like to sync
You can always go and update the personnel you would like to sync.
Go to your Connection page and select your Google Workspace connection card.
In the Google Workspace drawer, select the Setup tab and Update connection to update any previous selections.
Troubleshoot
Before troubleshooting, ensure that you have configured and add all of the google read only scopes into your OAuth Scopes fields in your Google Workspace account.
Resolve domain mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve domain mismatch header is displayed, that could mean either your setup configuration has errors or that the email domain you signed into Drata does not match the email domain of the Google Workspace super admin account.
You can either update the setup configuration or reach out to the technical support team.
Resolve user name mismatch
Go to your Connection page and select your Google Workspace connection card. In the Google Workspace drawer, view the Results section. Within the Results section, if a Resolve user name mismatch header is displayed, that could mean we found one or more admins within Drata that could not be matched with the individuals from your Google Workspace. This could mean that the listed personnel do not have access to Drata at the moment.
Select the Resolve button to select the admin’s primary email account. An email notification is sent to that personnel notifying that their email was updated. After resolving the admin’s email, select Continue. Any admins that aren’t resolved will lose access to Drata if you continue.
Monitoring tests covered
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts