Google Workspace (G Suite)

Overview

The Google Workspace (formerly G Suite) Adapter integrates Axonius with Google Workspace to collect visibility for users, devices, applications, configurations, and activities across the organization. By leveraging Google Workspace APIs and delegated administrative access, Axonius can inventory identity and SaaS assets, enrich security context, and support enforcement actions—while adhering to least-privilege access principles where applicable.

Use Cases the Adapter Solves

The Google Workspace adapter helps organizations:

  • Gain full visibility into users, devices, applications, and licenses in Google Workspace
  • Track user access, roles, permissions, and group memberships
  • Monitor OAuth applications, browser extensions, and SaaS integrations
  • Audit security-relevant activities using Google Workspace audit logs
  • Identify misconfigurations, over-privileged users, and unused licenses
  • Enrich identity and SaaS posture data for risk analysis and compliance
  • Enable enforcement actions such as suspending users, changing OUs, managing roles, or removing extensions

Asset Types Fetched

Devices | Users | Groups | Roles | Accounts & Tenants | Permissions | Rules | Software | SaaS Applications | Application Settings | Licenses | Application Extensions | Admin Managed Extensions | User Initiated Extensions | Application Keys | Activities | Application Resources | Application Settings |

Before You Begin

Authentication Methods

The Google Workspace (G Suite) adapter supports the following authentication method:

  • Service Account and Enable Domain-Wide Delegation

Required Permissions

These read privileges and scopes are required to fetch Cyber Assets into Axonius.

Required Privileges

  • Users
  • Organizational Units
  • Devices

Required Scopes

  • admin.directory.user.readonly
  • admin.directory.orgunit.readonly
  • admin.directory.device.mobile.readonly
  • admin.directory.device.chromeos.readonly

Optional Privileges

  • Chrome Management
  • Groups
  • Reports

Optional Scopes

  • admin.directory.device.chromebrowsers.readonly
  • admin.directory.group.readonly
  • cloud-identity.devices.readonly
  • admin.reports.usage.readonly
  • apps.groups.settings

To add the scope required for fetching Application Settings:

  1. Login to https://admin.google.com/.
  2. Navigate to SecurityAccess and data controlAPI ControlsDomain wide delegation.
  3. Find your Client ID and click Edit.
  4. Add the scope: https://apps-apis.google.com/a/feeds/domain/
  5. Click Authorize.
⚙️Application Settings fetched by the Adapter

After fetch, the following fields appear automatically in SaaS query results under the Application Settings entity type. Ensure the Fetch Settings (Policies) advanced setting is enabled for the fetch to work.

SSO General Settings

  • Fetched from API endpoint https://apps-apis.google.com/a/feeds/domain/2.0/%7BdomainName%7D/sso/general
Field NameDescription
samlSignonUriThe identity provider URL where Google sends the SAML authentication request
samlLogoutUriThe URL users are sent to when logging out
changePasswordUriThe URL users are sent to when changing their SSO password
enableSSOWhether SAML-based Single Sign-On (SSO) is enabled for the domain
ssoWhitelistNetwork mask IP in CIDR format — determines which users sign in via SSO vs. Google auth
useDomainSpecificIssuerWhether a domain-specific issuer is used in the SAML request to the identity provider

Email Gateway Settings

  • Fetched from API endpoint https://apps-apis.google.com/a/feeds/domain/2.0/%7BdomainName%7D/email/gateway)
Field NameDescription
smartHostThe IP address or hostname of the SMTP server that Google routes outbound mail to
smtpModePossible values: SMTP (default) or SMTP_TLS (TLS-secured delivery)

More Information About This Adapter

Deploying the Google Workspace (G Suite) Adapter

Google Workspace Advanced Permissions

Google Workspace Advanced Settings

Google Workspace Related Enforcement Actions