Deploying the Google Workspace (G Suite) Adapter

1. Go to the Google Cloud Console.

2. Select an existing project or create a new one.

3. Navigate to IAM & Admin → Service Accounts.

4. Click Create service account.

   

5. Enter a name (for example, Axonius Google Workspace Adapter).

6. Click Create and continue.

7. Skip granting roles (roles are not required for domain-wide delegation).

8. Click Done.

1. Click the newly created service account.

2. Open the Keys tab.

3. Click Add Key → Create new key.

4. Select JSON as the key type.

5. Click Create.

   

6. Save the downloaded JSON file securely.

1. In the service account details page, click the Details tab.

2. Click Advanced settings to expand the section.

   

3. Copy the Client ID displayed.

4. Keep this ID ready for the next step in the Google Workspace Admin console.

1. Go to the Google Workspace Admin Console.

2. Navigate to Security → Access and data control → API controls.

   

3. Scroll down to the Domain-wide delegation pane.

4. Click MANAGE DOMAIN WIDE DELEGATION.

   

5. Click Add new.

   

6. In the Client ID field, paste the unique Client ID you copied before.

7. In the OAuth scopes field, enter the comma-separated list of scopes. See Required Permissions.

8. Click AUTHORIZE.

   

1. Go to Google Cloud Console → APIs & Services → Library.

   

2. Select the same project where the service account was created.

3. Search for the Admin SDK API in the Library.

   

4. Click Admin SDK API from the search results.

5. Click Enable.

   

6. Repeat as needed for other APIs.

For additional APIs required for features like Cloud Identity devices, Groups, Calendars, and Chrome Management, refer to Advanced Permissions.

1. Go to Google Workspace Admin Console → Directory → Users.

2. Click ADD NEW USER and enter the user details (for example, [email protected]).

   

3. Open the newly created user account and navigate to the Security tab.

4. Important: Disable 2-step verification for this account:

   • Set 2-step verification to OFF.

     

5. Save the changes.

Option A: Use a Pre-built Role (Quick)

1. Navigate to Account → Admin roles.
2. Assign the user to a pre-built role (for example, User Management Admin) with read-only access.

Option B: Create a Custom Role (Recommended)

1. Navigate to Account → Admin roles → Create new role.
2. Enter a role name (for example, Axonius Read-Only).
3. Under Privileges, select the specific read-only permissions listed in the Required Permissions.
4. Click Continue and then Create Role.
5. Click Assign users and select the user you created.

1. In the Google Workspace Admin Console, from the navigation menu, navigate to Directory> Organizational Unit.

2. Click Create new organizational unit.
   

3. Enter a Name for the Organizational Unit (for example, Axonius SaaS Applications).

4. Click Create.
   

5. From the left navigation menu, navigate to Security> Authentication > SSO with third party IdP.

6. In the Manage SSO profile assignments section, click Get Started or Manage.
   

7. In the Manage SSO profile assignments page, on the left pane, expand the Organizational units section and select the organizational unit you just created.
   

8. Under SSO profile assignment, select None.

9. Click Save.

   

1. Use the user you created before.
2. Licenses: Ensure the Enterprise License Manager API is enabled and the scope https://www.googleapis.com/auth/apps.licensing is authorized.
3. Application Settings: Ensure the Group Settings API is enabled and the scope https://www.googleapis.com/auth/apps.groups.settings is authorized.
4. Record the Username and Password for later use.

1. Log into Google Cloud Console as an administrator.

2. Navigate to IAM & Admin → Roles.

3. Click Create role.

   

4. Enter a Title (for example, srv-axonius-sm-role).

5. Click Add permissions.

6. Search for required permissions (for example, resourcemanager.projects.get).

   

7. Select the permission and click Add.

   

8. Click Create.

1. Navigate to IAM & Admin → IAM.
2. Locate the principal associated with the account.
3. Click the Edit icon next to the principal.
4. Click Add Another Role.
5. Locate and select the custom role you created.
6. Click Save.
7. If prompted, click Continue.

1. Open the following URL, replacing <project_id> with your project ID from the JSON key file:
   https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=<project_id>
2. Click Enable to activate the Admin SDK API.

Prerequisite: These steps must be performed by a Super Admin.

1. Sign in to the Google Workspace Admin Console.

2. Navigate to Menu → Security → Authentication → 2-Step Verification.

3. Select the Organizational Unit (OU) or Group where the user resides.

4. Enable Allow users to turn on 2-Step Verification.

5. Under Enforcement, select Off (allows manual enrollment).

6. Click Save.

1. Sign in to Google My Account.
2. Navigate to Security & sign-in.
3. Under How you sign in to Google, click 2-Step Verification.

4. Complete the initial setup (for example, phone number, SMS, or Google prompt).

5. Enter the code you received from Google and click Next.

6. Click Turn on to enable 2-Step Verification.

7. In the 2-Step Verification page, scroll to the Add more second steps to verify it’s you section.

8. Click Authenticator app.

9. Use the Axonius Built-In Multi-Factor Authenticator, install Google Authenticator on your phone, or add a Chrome extension.

10. Scroll to Authenticator app and click Set up authenticator.

11. Click Can’t scan it? to reveal the Secret Key.

12. Copy the Secret Key.

1. On the adapter Add Connection screen in Axonius, click the Generate Secret Key icon.
2. The Set 2FA Secret Key screen opens.
3. Paste the Secret Key copied from Google into the 2FA Secret Key field and click Next.

4. Axonius generates a 6-digit verification code.
5. Copy the 6-digit code.

6. Return to the Google Set up authenticator screen, click Next, and paste the code to complete verification.
7. Click Verify.
8. Back in Axonius click Complete on the Set 2FA Secret Field dialog.
9. Click Save.

If your organization enforces 2-Step Verification globally, follow the steps below to exclude the service user.

Exclude the user using an Organizational Unit (OU)

1. In the Admin Console, navigate to Directory → Users.
2. Select the user and move them to an OU where 2-Step Verification enforcement is set to Off.

Exclude the user using Group or OU enforcement settings

1. Navigate to Security → Authentication → 2-Step Verification.
2. Select the OU or Group containing the user.
3. Set Enforcement to Off and click Save.

• Account Profile Name - Google user name This field is used to link assets to the profile, such as linking the Applications and App Settings to the Account asset.

• Get OAuth Apps - Select to fetch the OAuth applications used by each user. Note This data requires an additional scope to your Google Workspace (G Suite) admin account. For more information, see Advanced Permissions.

• Fetch Cloud Identity Devices - Select whether to fetch Cloud Identity devices. Note Fetching Cloud Identity devices requires: Adding the following scope to your Google Workspace (G Suite) admin account. It also requires enabling the Cloud Identity API. For more information, see Advanced Permissions.

• Fetch Chrome Browsers – Select this option to fetch Chrome browsers information. Note Fetching Chrome browsers information requires an additional privilege to your Google Workspace (G Suite) admin account. For more information, see Advanced Permissions.

• Fetch Calendars – Select this option to fetch users' calendars. Note Fetching calendar information requires an additional privilege to your Google Workspace (G Suite) admin account. It also requires enabling the Cloud Identity API. For more information, see Advanced Permissions.

• SSO Provider - If your organization uses Google for SSO, you can set this select this check box (selected by default). For more information, see Connecting your SSO Solution Provider Adapter.

• Proxy address - Connect the adapter to a proxy instead of directly connecting it to the domain.

• Proxy port - The port for the proxy server.

• Proxy username - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in Proxy address.

• Proxy password - The password to use when connecting to the server using the Proxy.

• Notes – Add a note of up to 250 characters for this adapter connection.

• Select Gateway – Select the Axonius Gateway to use when connecting adapters whose sources are only accessible by an internal network. To use this option, you need to set up an Axonius Gateway.