Skip to main content
Status: Active — fully supported
Auth: OAuth 2.0 (refresh token via admin consent)
Syncs: Users, Groups, MFA status, Admin accounts, 2SV enforcement

What You’ll Need

  • Google Workspace Super Admin account
  • Google Cloud Console access
  • 20 minutes

Step 1 — Create a Google Cloud Project

  1. Go to console.cloud.google.com
  2. Click the project dropdown (top left) → New Project
  3. Name: SecurAtlas Integration
  4. Click Create

Step 2 — Enable Required APIs

  1. In your project → APIs & ServicesLibrary
  2. Search and enable each of these:
    • Admin SDK API
    • Google Workspace Alert Center API
    • Gmail API (for audit logs)
  1. APIs & ServicesOAuth consent screen
  2. User type: Internal (important — restricts to your org only)
  3. App name: SecurAtlas
  4. User support email: your admin email
  5. Developer contact: your admin email
  6. Click Save and Continue through all steps

Step 4 — Create OAuth Credentials

  1. APIs & ServicesCredentialsCreate CredentialsOAuth client ID
  2. Application type: Web application
  3. Name: SecurAtlas
  4. Authorized redirect URIs → Add: 
    https://www.securatlas.com/api/integrations/callback
  5. Click Create
  6. Copy the Client ID and Client Secret

Step 5 — Configure Admin SDK Scopes

  1. Go to admin.google.com
  2. SecurityAccess and data controlAPI controls
  3. Click Manage Domain Wide Delegation
  4. Click Add new and enter:
    • Client ID: (your OAuth Client ID from Step 4)
    • OAuth Scopes (paste all at once, comma-separated):
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
  1. Click Authorize

Step 6 — Connect in SecurAtlas

  1. Go to your tenant → Integrations tab
  2. Click Connect on Google Workspace
  3. You’ll be redirected to Google’s OAuth consent screen
  4. Sign in with your Super Admin account
  5. Click Allow on the permissions screen
  6. You’re redirected back to SecurAtlas — sync starts immediately
Must connect with a Super Admin account. A regular admin account won’t have access to the Admin SDK Directory API and the sync will fail.

What Gets Synced

EntityData
UsersName, primary email, suspended status, org unit
MFA (2SV)Per-user 2-Step Verification enrollment and enforcement
Admin AccountsWhich users have admin or delegated admin roles
GroupsAll groups and their email addresses

Findings Generated

FindingTrigger
mfa_not_registeredUsers without 2SV enrolled
gws_admin_no_2svAdmin accounts without 2SV
gws_no_2sv_enforcedNo org-wide 2SV enforcement policy

Troubleshooting

Make sure you’re signing in with a Super Admin account, not a regular admin. Only Super Admins have access to the Admin SDK Directory API.
Check that Domain Wide Delegation was configured correctly in Step 5. The Client ID must match exactly and all scopes must be on one line comma-separated with no spaces.
Google Workspace reports 2SV enforcement per user, not per org. SecurAtlas checks if any user has isEnforcedIn2Sv = true. If enforcement is set at the org level but users haven’t been forced yet, it may show as not enforced until the policy propagates.