Directory Synchronization - Configuring Google Workspace

This article contains information on creating a custom administrator role in Google Workspace for Mimecast integration, including steps to configure roles, enable the Admin SDK, create a service account, authorize client IDs, and set up directory synchronization for secure management.

To configure a directory synchronization integration for Google Workspace, you must perform the following tasks:

• Create the Custom Administrator Role.
• Enable the Admin SDK.
• Create a Service Account.
• Authorize the Service Account's Client ID.

Creating the Custom Administrator Role

To configure the Google Administration Console:

1. Log in to the Google Admin Console.
2. Create a User that will be used for a Mimecast Service Account. See the Adding Users Individually page of the Google Workspace Administrator Help for full details.
3. Make a note of the User's Email Address. This is needed when creating a directory connector in step 5.
4. Create a Custom Administrator Role with "Read" access to the areas listed below. See the Creating Custom Administrator Roles page of the Google Workspace administrator help for full details.

• • • Organization Units
    • Users
    • Groups

5. Add the User created in step 3 to the Role. See the Assigning Administrator Roles to a User page of the Google Workspace administrator help for full details.

Enabling the Admin SDK

To enable the admin SDK from the Google API console:

1. Log in to the Google API Console.
2. Create a Project. See the Creating a Project page in the Google Workspace Activity API technical documentation for further details.
3. On the API tile, click on Go to APIs overview.
4. Click on the Enable APIs and Services button.

5. Select the Admin SDK API  tile.

6. Click the Enable button if it is not enabled.

Creating a Service Account

To create a service account from the Google API console:

1. Log in to the Google API Console.
2. Click on the Credentials menu item.
3. Click on the Create Credentials | Service Account menu item.

4. Complete the New Service Account dialog as follows:

5. Click on the Create and Continue button.
6. Select the Service Accounts | Service Account User role, then click Done.

7. Select the created Service account and click on the Keys button in the Keys section.
8. Click the Add Key button, select Create New Key, and then select the JSON key type.
9. Click on the Create button and save the JSON file in a secure location.
10. From the Credentials menu item, click on Manage service accounts.
11. Navigate to the Service Account you've created.
12. Click on the  icon.
13. Select the Manage Details menu item.

14. Select Show Domain Wide Delegation and select the Enable Google Workspace Domain-Wide Delegation option.
15. Click on Save.
16. Note the Client ID, as this is required in the next step.

Authorizing the Service Account's Client ID

To authorize the service account's client ID:

1. Log in to the Google Admin Console.
2. Click on the Security menu item.
3. Expand Access and data control and click on the API Controls option.
4. Click on the Manage Domain Wide Delegation link.
5. Click on the Add New button.
6. Enter the Client Id from step 14 of the previous section.
7. Specify the following in the OAuth Scopes field in a comma-separated list.

https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly 

8. Click on the Authorize button.

Next Steps

You're ready to create a Directory Integration in Mimecast. See the Administration Console: Configuring Directory Synchronization for Google Workspace page for details.

See Also...

• • • Managing Attributes