Updated on April 18, 2024

Configure Google Workspace for SaaS Security Posture Management

Configure Google Workspace for SaaS Security Posture Management

To configure Google Workspace for SaaS Security Posture Management, follow the instructions below.

Prerequisite

Before configuring Google Workspace for SaaS Security Posture Management, review the prerequisites:

  • A Google Workspace with any Business edition license.
  • A Google super admin account for Netskope integration

Netskope requires the super admin role to fetch the token resources which support OAuth 2.0 token-based use cases like rules related to OAuth tokens, etc.

Grant Scopes to the Netskope Service Account

This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Workspace.

  1. Log in to admin.google.com as a super admin. 

  2. Navigate to Security > Access and data control > API controls

  3. On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation

  4. Click Add new to create a new API Client. A new pop-up window opens.

  5. For Client ID, enter 115103394993879524295.

  6. For OAuth scopes, enter the following scopes:

    OAuth ScopeNeeded for...
    https://www.googleapis.com/auth/admin.directory.user.readonlyList all users in the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonlyList all privileges, role and role assignments.
    https://www.googleapis.com/auth/admin.directory.orgunit.readonlyList of all organizational units in the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.customer.readonlyGet the customer details in the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.user.securityList a set of token metadata issued by the user to 3rd party applications.
    https://www.googleapis.com/auth/admin.directory.group.readonlyList all groups in the Google Workspace account.
    https://www.googleapis.com/auth/admin.reports.audit.readonlyRetrieve changes to various resources in the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.device.mobile.readonlyList of all user-owned mobile devices in the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.domain.readonlyLists domains of the customer.
    https://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyList of Chrome OS devices within the Google Workspace account.
    https://www.googleapis.com/auth/admin.directory.userschema.readonlyList all schemas for a customer.
    https://www.googleapis.com/auth/admin.directory.resource.calendar.readonlyList all calendar resources.
    https://www.googleapis.com/auth/apps.groups.settingsList the settings and permissions of all the groups.

    Copy the following OAuth scope text to direct paste in the UI:

    https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/apps.groups.settings

  7. Click Authorize.

  8. Verify the steps above by checking if the Netskope for Google app appears in the API clients list.

Configure Google Workspace Instance in Netskope UI 

To authorize Netskope to access your Google Workspace instance, follow the steps below:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > Security Posture.
  2. Under Apps, select Google Workspace and click Setup Security Posture Instance. The Setup Instance window opens. 
  3. Under API Admin Email, enter the Google account email of the super admin. 
  4. Under Google Workspace administrator email, enter the email address of the user who will receive the findings related to security posture. This can be added when creating security posture policies. 
  5. From the Security Scan Interval drop-down list, select the required scan interval. This is the interval at which Netskope runs the policy periodically.
  6. Click Grant Access. You will be prompted to log in using a super admin or any user (belonging to the same Google Workspace domain), and then click Sign In. When the configuration results page opens, click Close

Refresh your browser and you will see a green check icon next to the instance name.

Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.

Share this Doc

Configure Google Workspace for SaaS Security Posture Management

Or copy link

In this topic ...