Google Workspace
Connect Google Workspace to sync your organization's directory into ConcertoGRC. The integration uses domain-wide delegation to read users and groups, detect MFA status, and generate compliance evidence reports.
What You Get
Personnel Directory
- User sync -- All Google Workspace users synced to AccessPersonnel with name, email, department, title, and org unit
- Group sync -- Google Groups imported into AccessGroup with membership
- MFA detection -- Per-user MFA enrollment status (enrolled vs. not enrolled)
- Admin user identification -- Users with super admin or delegated admin roles are flagged
- Auto-escalation -- Suspended users are automatically escalated to TERMINATED after a configurable number of days
Evidence Reports (Auto-Generated)
The same five compliance reports generated by the Microsoft 365 integration:
| Report | Description |
|---|---|
| User Roster | Complete directory listing with org unit, title, and status |
| MFA Status | Per-user 2-Step Verification enrollment |
| Admin Users | Users with admin role assignments |
| Group Membership | Group roster with member counts |
| Inactive Users | Users with no recent login activity |
Setup
Domain-Wide Delegation
Google Workspace integration uses a service account with domain-wide delegation. This requires Super Admin access to your Google Workspace admin console.
- Navigate to Integrations in ConcertoGRC
- Find the Google Workspace card and click Connect
- ConcertoGRC provides a Service Account Email and OAuth Scopes to authorize
- In your Google Admin Console:
- Go to Security → API Controls → Domain-wide Delegation
- Click Add new and enter the provided Service Account Client ID
- Paste the required OAuth scopes
- Click Authorize
- Back in ConcertoGRC, enter your Google Workspace domain (e.g.,
yourcompany.com) - Click Test Connection to verify delegation is working
Required Scopes
| Scope | Purpose |
|---|---|
admin.directory.user.readonly | Read user profiles, status, org unit |
admin.directory.group.readonly | Read groups and membership |
admin.directory.rolemanagement.readonly | Read admin role assignments |
All scopes are read-only. ConcertoGRC does not modify your Google Workspace directory.
Sync Behavior
- Frequency: Every 24 hours
- User matching: On initial sync, existing AccessPersonnel records are matched by email address
- Field sync policy: Configurable per field -- IdP-managed fields are overwritten on sync, local fields are preserved
- Status mapping: Google account status maps to platform status (Active → ACTIVE, Suspended → SUSPENDED, Archived → TERMINATED)
- Pagination: Large directories are fetched in pages; sync completes even for directories with thousands of users
Disconnecting
Removing the integration from ConcertoGRC deletes the stored connection credentials. To fully revoke access, also remove the domain-wide delegation entry from your Google Admin Console (Security → API Controls → Domain-wide Delegation).
Previously synced personnel records remain in ConcertoGRC but are no longer updated.