Google Workspace (G Suite)
Overview
The Google Workspace (formerly G Suite) Adapter integrates Axonius with Google Workspace to collect visibility for users, devices, applications, configurations, and activities across the organization. By leveraging Google Workspace APIs and delegated administrative access, Axonius can inventory identity and SaaS assets, enrich security context, and support enforcement actions—while adhering to least-privilege access principles where applicable.
Use Cases the Adapter Solves
The Google Workspace adapter helps organizations:
- Gain full visibility into users, devices, applications, and licenses in Google Workspace
- Track user access, roles, permissions, and group memberships
- Monitor OAuth applications, browser extensions, and SaaS integrations
- Audit security-relevant activities using Google Workspace audit logs
- Identify misconfigurations, over-privileged users, and unused licenses
- Enrich identity and SaaS posture data for risk analysis and compliance
- Enable enforcement actions such as suspending users, changing OUs, managing roles, or removing extensions
Asset Types Fetched
Devices |
Users |
Groups |
Roles |
Accounts & Tenants |
Permissions |
Rules |
Software |
SaaS Applications |
Application Settings |
Licenses |
Application Extensions |
Admin Managed Extensions |
User Initiated Extensions |
Application Keys |
Activities |
Application Resources |
Application Settings |
Before You Begin
Authentication Methods
The Google Workspace (G Suite) adapter supports the following authentication method:
- Service Account and Enable Domain-Wide Delegation
Required Permissions
These read privileges and scopes are required to fetch Cyber Assets into Axonius.
Required Privileges
- Users
- Organizational Units
- Devices
Required Scopes
admin.directory.user.readonlyadmin.directory.orgunit.readonlyadmin.directory.device.mobile.readonlyadmin.directory.device.chromeos.readonly
Optional Privileges
- Chrome Management
- Groups
- Reports
Optional Scopes
admin.directory.device.chromebrowsers.readonlyadmin.directory.group.readonlycloud-identity.devices.readonlyadmin.reports.usage.readonlyapps.groups.settings
To add the scope required for fetching Application Settings:
- Login to
https://admin.google.com/. - Navigate to Security → Access and data control → API Controls → Domain wide delegation.
- Find your Client ID and click Edit.
- Add the scope:
https://apps-apis.google.com/a/feeds/domain/ - Click Authorize.
Application Settings fetched by the Adapter
After fetch, the following fields appear automatically in SaaS query results under the Application Settings entity type. Ensure the Fetch Settings (Policies) advanced setting is enabled for the fetch to work.
SSO General Settings
- Fetched from API endpoint
https://apps-apis.google.com/a/feeds/domain/2.0/%7BdomainName%7D/sso/general
| Field Name | Description |
|---|---|
| samlSignonUri | The identity provider URL where Google sends the SAML authentication request |
| samlLogoutUri | The URL users are sent to when logging out |
| changePasswordUri | The URL users are sent to when changing their SSO password |
| enableSSO | Whether SAML-based Single Sign-On (SSO) is enabled for the domain |
| ssoWhitelist | Network mask IP in CIDR format — determines which users sign in via SSO vs. Google auth |
| useDomainSpecificIssuer | Whether a domain-specific issuer is used in the SAML request to the identity provider |
Email Gateway Settings
- Fetched from API endpoint
https://apps-apis.google.com/a/feeds/domain/2.0/%7BdomainName%7D/email/gateway)
| Field Name | Description |
|---|---|
| smartHost | The IP address or hostname of the SMTP server that Google routes outbound mail to |
| smtpMode | Possible values: SMTP (default) or SMTP_TLS (TLS-secured delivery) |
More Information About This Adapter
Deploying the Google Workspace (G Suite) Adapter
Google Workspace Advanced Permissions
