How can we help?

Google Workspace (G Suite) Integration

Noga Tubi
Noga Tubi
  • Updated

Set up Google Workspace integration and get all the insights in Torii's dashboard

Overview

Torii integrates with Google Workspace (G Suite) and syncs:

  • User list
  • licenses
  • 3rd party application list
  • 3rd party permissions
  • Usage data

Connecting the integration consists of the following.
mceclip19.png

Prerequisites

Connect Google Workspace integration.

  1. From the Torii Integrations page, click on the Google Workspace tile
  2. Click Connect
    mceclip0.png
  3. Your Google Workspace account can be integrated as:

      • "Read-Only" to see your Google Workspace data within Torii
      • "Read/Take Action" to create workflows and take action directly through Torii.
  4. Step 4, which includes the "Service Account Email Address" and "Service Account Private Key", are optional, but if you want to use the below actions, you will have to populate them.
    Click here to see the "how-to instructions".

    • Set Vacation Responder
    • Enable Auto Forwarding
    • Update Gmail Signature 
    • Company-owned devices actions 
    • Block company-owned mobile devices
    • Wipe Google account from company-owned mobile devices
    • Delete company-owned mobile devices from Google workspace
  5. Click Connect
    mceclip1.png
  6. Once the integration is connected and synced, a green checkbox is displayed.
    mceclip2.png

Google settings required for actions:

To enable the Google Integration for Advanced Actions such as Google Signature, you will need to enable API Access from Google into Torii.

  1. Go to your Google Cloud Console: https://console.cloud.google.com/apis/api/gmail.googleapis.com/overview
  2. If you don’t have a project, click “Select a project”>> NEW PROJECT.
    mceclip3.png
  3. Enter a Project Name ie. “Torii Project”
  4. Select your Organization and Click CREATE
    mceclip4.png
  5. Click on “ENABLE APIS AND SERVICES
    mceclip5.png
  6. Search for “gmail” and select "Gmail API."
  7. Click on ENABLE
    mceclip7.png
  8. You should now see the status as Enabled. https://console.cloud.google.com/apis/api/gmail.googleapis.com/overview
    mceclip8.png
  9. Click on Credentials
  10. Go to + CREATE CREDENTIALS and select Service account. 
    mceclip9.png
  11. Provide the Service Account details and click Done.
    mceclip10.png
  12. After editing the Service Account details, click the “Keys” tab
  13. Click Add KeyCreate New KeyCreate
    mceclip11.png
  14. In the "Create private key" window, leave the default JSON and click CREATE
  15. The JSON will be downloaded automatically to your computer:
    mceclip12.png
  16. In the Google Admin Console >> Security >> Access and Data Control >> API Controls >> Manage Domain Wide Delegation (Scroll Down)
    mceclip13.png
  17. Click Add New
    mceclip14.png
  18. Add your Client ID (from your JSON), add the required scopes, and click Authorize.
    mceclip15.png
  19. Enter the Service Account Email Address
    mceclip16.png
  20. Add the Service Account Private Key; please add the Service Account Private Key; make sure to copy the entire key as shown in the image.
    mceclip17.png
  21. Enter the Service Account Email Address and Service Account Private Key to the "Connect Google Workspace" window", and click Connect.
    mceclip18.png

Mobile device actions

Company-owned devices actions

These actions require special permissions, as mentioned above; they are executed on all the company-owned devices assigned to the selected user.

  • Block company-owned mobile devices- Block access to the organization’s Google account from the devices
  • Wipe Google account from company-owned mobile devices- Deletes all of your organization’s data from the devices.
  • Delete company-owned mobile devices from Google workspace- Removes the devices from the Google Workspace list.

User-owned devices actions:

These actions do not require any special permissions (except for "Read and take"). The actions are executed on all the user-owned devices assigned to the selected user.

  • Block user-owned mobile devices- Block access to the organization’s Google account from the devices.
  • Wipe Google account from user-owned mobile devices- Deletes all of your organization’s data from the devices.
  • Delete user-owned mobile devices from Google workspace- Removes the devices from the Google Workspace list.

Read-only

In case you choose to connect to Google Workspace for "Read-only", Torii will require the following permissions:NOTE: Google documents that a Google Super Administrator user is required to read licenses data in Google's access control policy:
"License Management — This privilege works only in the Admin console and authorizes only super admins to use the License Manager API."

However, we found that creating a dedicated admin role that is not a Super Administrator allows reading the License management.
If you have created a dedicated Super Admin user for the integration, make sure you log in with that user and accept any Google Terms of Service.
Without accepting the Terms of Service, Torii's access will be limited.

Read and take action.

In case you choose to connect Google Workspace for Read and take actions, you will grant Torii the following permissions:
Return up

Integration Capabilities and Actions 

You can stay updated about application information and actions from our Integrations Page >> Integration Capabilities button (1) >> Integration Capabilities table.mceclip10.png

Usage

Torii pulls 2 types of usage events and calculates Google Workspace usage based on them:

  • SAML Audit activity events - Usage for apps connected to G-Suite SSO

  • Login Audit Activity Events - General usage for Google Workspace, for example, 2-step verification enrollment change, Account password change, etc.

On the first usage sync, Torii will pull activity events from the last 30 days.

Troubleshooting

Authorization Error

You might encounter the following Authorization Error

Resolution

  1. From Google Admin page go to Security
  2. API controls
  3. MANAGE THIRD-PARTY APP ACCESS
  4. Click on Add app
  5. Select the OAuth App Name OR Client ID option
  6. Search for Torii
  7. Click Select

  8. Check all Client ID boxes

  9. Select the Trusted option
  10. Click Configure

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request