Mondoo
Docs
Integrate Your AssetsSaaS

Secure Google Workspace with Mondoo

Continuously scan Google Workspace for security misconfigurations using a GCP service account with domain-wide delegation.

Mondoo continuously scans your Google Workspace for misconfigurations and security issues across users, applications, and configuration. Deploy the integration once and assessments stay current as new accounts and resources are added.

Prerequisites

Create a Google Cloud service account

These steps configure Admin SDK API access using Google Cloud, even if you aren't otherwise using GCP.

Step A: Create a Google Cloud project

  1. In Google Cloud, sign in as a super administrator. Accept the terms of service if prompted.

  2. From the menu, select IAM & Admin > Manage Resources.

  3. Select Create Project and name it (for example, Mondoo Security Scan).

  4. Select Create.

Step B: Enable required APIs

  1. From the menu, select APIs & Services > Library.

  2. Enable each of these APIs:

    • Admin SDK
    • Google Calendar API
    • Contacts API
    • Gmail API
    • Groups Migration API
    • Cloud Identity API
    • Google Drive API

  1. From the menu, select APIs & Services > OAuth consent screen.

  2. For User Type, select Internal and select Create.

  3. Set App name to Mondoo Security Scanner (or your preference).

  4. Under Authorized Domains, select + ADD DOMAIN and add your Google Workspace domain.

  5. Add a User support email and Developer contact information.

  6. Select Save and Continue > Save > Continue > Back to Dashboard.

Step D: Create the service account

  1. From the menu, select APIs & Services > Credentials.

  2. Select Create Credentials > Service account.

  3. Name the account (for example, mondoo-security-scanner) and select Create, then Continue > Done > Save.

  4. At the top, select Key > Add Key > Create new key. Choose JSON and select Create. The JSON key file downloads. Save it; you need it later.

  5. Select Close, then record the OAuth 2 / Client ID from the list of service accounts. You need it for the next section.

    Google Service Account Client ID

Configure domain-wide delegation

In the Google Workspace Admin Console, grant the service account the OAuth scopes it needs.

  1. Log into the Google Workspace Admin Console.

  2. In the left navigation, select Security > Access and data control > API controls.

  3. Select Domain-wide Delegation, then Add new.

  4. For Client ID, enter the Client ID you recorded in Step D.

  5. For OAuth Scopes, paste this comma-delimited list:

    https://www.googleapis.com/auth/admin.chrome.printers.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-identity.groups.readonly,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/calendar.events.readonly,https://www.googleapis.com/auth/calendar.settings.readonly

  6. Select Authorize.

Record a super admin email and your customer ID

Mondoo authenticates by impersonating a super admin. You also need the Workspace customer ID.

  1. In the Admin Console, navigate to Account > Admin Roles > Super Admins and record an email address for one of the super admins. To learn more, see Prebuilt administrator roles in the Google Workspace documentation.

  2. Navigate to Account > Account Settings and record the Customer ID.

    Google Workspace Customer ID

Add a Google Workspace integration

Only team members with Editor or Owner access can perform this task.

In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find the integration you want by browsing or searching by name:

  1. Under SaaS, select Google Workspace.

    Add a Google Workspace Integration in Mondoo

  2. In Choose an integration name, enter a name that identifies the Workspace account.

  3. In Mandated user's email, enter the super admin email you recorded above.

  4. Under Provide your Google service account config, drag and drop the JSON key file you downloaded earlier, or select the cloud icon to browse for it.

    integration-create-image

  5. Select START SCANNING.

On the Recommended Policies page, enable the policies you want Mondoo to score this integration against. To learn how policies work, read Manage Policies.

Learn more

GitLab

Continuously scan GitLab groups for misconfigurations and vulnerabilities.

Overview

Continuously scan Microsoft 365 for security misconfigurations across Exchange Online, SharePoint, Teams, OneDrive, and more.

On this page

PrerequisitesCreate a Google Cloud service accountStep A: Create a Google Cloud projectStep B: Enable required APIsStep C: Set up the OAuth consent screenStep D: Create the service accountConfigure domain-wide delegationRecord a super admin email and your customer IDAdd a Google Workspace integrationLearn more