Google Workspace Integration
The Google Workspace connector uses a service account with domain-wide delegation to call the Admin SDK Directory and Reports APIs. It collects MFA enrolment rates, super admin account listings, and failed login counts. No user email content or documents are accessed.
Service account
Authentication method
Read-only
API scopes used
A.5.17, A.5.15
Example ISO 27001 control mappings
Prerequisites
Set up a service account with domain-wide delegation
Google Workspace requires a GCP service account with domain-wide delegation to call Admin SDK APIs on behalf of an admin user. This is a one-time setup that takes about 10 minutes.
1. Create a GCP project and service account
In Google Cloud Console (console.cloud.google.com):
- Create or select a GCP project (e.g. aisec-integrations)
- Enable the Admin SDK API: APIs & Services → Enable APIs → search "Admin SDK API"
- Go to IAM & Admin → Service Accounts → Create Service Account
- Name: aisec-evidence-collector; no GCP IAM roles needed
- Under Actions → Manage Keys → Add Key → JSON; save the downloaded JSON file
2. Enable domain-wide delegation
In the service account details page:
- Click "Edit" → tick "Enable Google Workspace Domain-wide Delegation"
- Click Save; note the Client ID (numeric, e.g. 123456789012345678901)
3. Authorise the scopes in Workspace Admin Console
In Google Workspace Admin Console (admin.google.com):
- Go to Security → Access and data control → API controls → Manage Domain Wide Delegation
- Click "Add new" and enter the service account Client ID
- Add these scopes exactly (comma-separated):
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- Click Authorise
4. Identify a delegated admin email
The service account will impersonate this admin user when making API calls. Use a dedicated admin account, not a personal one.
- The account must have the Super Admin role or the Reports Admin role for audit log access
- Note the email address — you will enter it as "Admin Email" in AISEC
Configuration
Connect Google Workspace in AISEC
Paste the service account JSON and enter the admin email and domain in Settings → Integrations → Google Workspace → Configure.
Step-by-step
- Admin Email: the email of the admin user the service account will impersonate (e.g. admin@yourcompany.com)
- Primary Domain: your Google Workspace primary domain (e.g. yourcompany.com)
- Service Account JSON: open the JSON key file you downloaded, select all content, and paste it into the textarea
- Sync frequency: daily is appropriate for identity evidence
- Click Connect, then Sync now
Evidence collected
What appears in your evidence register
Three evidence items per sync.
MFA Enrolment
Percentage and count of users with 2-Step Verification enrolled across the domain.
- Maps to ISO 27001: A.5.17, A.8.5
- Maps to SOC 2: CC6.1
Super Admin Review
Count and email list of all super administrator accounts in the workspace.
- Maps to ISO 27001: A.5.15, A.5.18
- Maps to SOC 2: CC6.3
Login Audit
Count of failed login attempts in the last 7 days across the domain.
- Maps to ISO 27001: A.8.15, A.8.16
- Maps to SOC 2: CC7.2
Troubleshooting
Common issues
- 401 Unauthorized — the service account client ID is not listed in Domain-wide Delegation in the Workspace Admin Console; re-check the authorisation step.
- 403 with "Not Authorized to access this resource/api" — the required OAuth scopes were not added correctly in Admin Console; the scopes must match exactly.
- cryptography package not installed — the connector requires the Python cryptography library; it must be installed in the evidence-collector container (pip install cryptography).
- Admin email not a super admin — if using a non-super-admin account, it must have at least the Reports Admin role for audit log access and User Management Admin for directory calls.
Ready to connect?
Create a GCP service account, enable domain-wide delegation, authorise the scopes in Workspace Admin Console, then paste the JSON key into AISEC.