Directory Synchronization - Google

Updated September 03, 2025 05:58

This article contains information on configuring Google Workspace for directory synchronization with Mimecast, detailing prerequisites, integration creation, testing, and synchronization checks for users and groups.

Prior to performing the steps below, the Google Admin needs to do the following:

- - Configure the Google Administration Console. You'll need a Super Administrator login.
  - Enable the Admin SDK. You'll need access to the API Console.
  - Create a Service Account.
  - Authorize the Service Account's Client ID.

See the Configuring Google Workspace for Directory Synchronization page for full details.

When the above tasks are completed, the following tasks must be performed in the Mimecast Administration Console:

Create a Directory Integration.
Test the directory synchronization.
Check that users and groups are synchronizing.

Once the service is activated, Mimecast and Google will synchronize automatically at 8 a.m., 1 p.m., and 11 p.m. daily (based on the timezone your Mimecast account is hosted in). This removes the administrative overhead of performing these tasks manually.

Only the "Email Address" and "Full Name" attributes are synchronized by default. Other attributes must be configured in the Google Workspace and the Mimecast Administration Console first. Once directory synchronization completes successfully, these attributes are displayed in Mimecast. The only attributes we can't support are multi-valued attributes. See the article Configuring Google Workspace for Directory Synchronization for full details.

We recommend configuring an SSO authentication method for your Google Workspace applications. See Google's KB article on how to do this.

Creating a Directory Integration

To create a directory integration, you must have the following pieces of information at hand:

The email address of the user in the custom admin role. See the "Google Administration Console Configuration" section of the Configuring Google Workspace for Directory Synchronization page for details.
The service account's private key. JSON file. See the "Creating a Service Account" section of the Configuring Google Workspace for Directory Synchronization page for details.

To create a directory integration:

Log on to the Mimecast Administration Console.
Navigate to Services | Directory Synchronization.
Click on the Create New Integration button.
Complete the Integration Details dialog as follows:

Details

Field / Option	Description
Name	Provide a name to help identify the directory integration.
Description	Enter a value to describe this integration (e.g., Google Workspace Directory Synchronization).
Type	Select the "Google Directory" value from the drop-down list.

Click Next.

Settings

Email Address	Enter the email address of the user created and added to the custom admin role. See the "Google Administration Console Configuration" section above.
Service Account JSON File	Enter the content of the service account's private key. See the "Creating a Service Account" section above.

Click Next.

Options

Acknowledge Disabled Accounts	If selected, users are disabled in Mimecast if they have a "Suspended" status in Google Workspace.
Filter Email Domains	Optionally list the domains the Directory Integration will synchronize with. For example, these can be specified where: There are multiple Directory Integrations, each of which is dedicated to specific domains. The account is part of an Advanced Account Administration setup. (Default Setting - Disabled). Entries *Must* be comma separated. No spaces should be used.
Maximum Sync Deletions	The maximum number of accounts will be updated to "created in transit" when they are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.
Deleted Users	This allows the deletion of accounts that are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.

Click Next.

Summary

Field / Option	Description
Status	Set the status of the Directory Sync integration upon creation; this toggle switch can be left as Enabled, so it will begin to function immediately or be set to Disabled and left for future activation. (Default Setting: Enabled)

Clicking Next will automatically perform a Test on the integration using the details entered. If satisfied with the test results, click Create Integration to complete the process.

Testing Your Configuration

To test your settings:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Directory Synchronization.
4. Select the Directory Connection entry you wish to test.
5. On the slide-out panel, select the Test Connection tab, which will begin the test itself, and a series of tests will be performed. They include:

Hostname/IP address checks
Connectivity tests
Certificate tests
Authentication tests
Sample address tests

A tooltip will display additional information, including possible solutions if a test fails.

The test option can be used while your settings haven't been saved. You can select the option before saving your changes.

After you have saved your changes by clicking Save and Exit, you can click on the Sync All button to start synchronizing.

Checking Users / Groups Synchronization

You can check which users and groups have been synchronized by:

- - Downloading the full results file.
  - Using the Administration Console.

To check which users have been synchronized via the Administration Console:

Log on to the Mimecast Administration Console.
Navigate to Users & Groups | Internal Directories.
Click on the required Domain.
Check that all the users are listed.

To check which groups have been synchronized via the Administration Console:

Log in to the Mimecast Administration Console.
Navigate to Users & Groups | Directory Groups.
Expand the required node in the navigator.
Check that all the groups are listed.