Experience Center
Integrating with Google Workspace
You can connect your Google Workspace organization to Zscaler 3rd-Party App Governance to gain continuous visibility and governance for third-party apps installed in the Google Workspace environment, including automation of your vetting and governance processes.
Prerequisite
A user with Google Admin privileges is required to connect 3rd-Party App Governance to Google Workspace.
Some organizations prefer to use a dedicated service account for new service integrations. We recommend following your standard practice when connecting new services to your business applications.
Connecting Google Workspace to 3rd-Party App Governance
To connect Google Workspace to 3rd-Party App Governance:
- Click the Connect icon in the left-side navigation.
The Integrations window appears.
- In the Integrations window, click Add next to Google Workspace. You are prompted to sign in if you haven't already done so.
A consent window appears (all privileges are read-only), and you can see a detailed list of permissions and data here.
This consent step only allows reading of the apps in your workspace. Additional consent steps are required for the revocation and banning of apps. By default, 3rd-Party App Governance users who are not explicitly granted revocation rights are unable to perform revoke operations.
After connection is achieved, it might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. After integration is completed, a success message appears, and the number of domains is updated. You then receive an email from Zscaler when the domain is ready for further review. To learn more about the integration statuses of a domain, see Status.
Viewing and Managing Google Workspace Integration
You can click Google Workspace in the Integrations window to expand and view the list of added domains along with information such as First connected, Last Synced, and Status.
- Domain: The name of the domain integrated with 3rd-Party App Governance.
- First connected: The date and time the domain was added, and the person who added the domain.
- Last Synced: The date and time the domain was last synced. If the domain has yet to sync, N/A is displayed. If the duration of the sync is excessive, the last sync time is highlighted in red.
When there are multiple domains, 3rd-Party App Governance displays the last sync with the most excessive time duration to indicate an issue so you can expand, view the domain, and take the relevant actions.
- Status: The integration status of the domain. One of the following statuses is displayed:
- Error: Failure to achieve a connection. The error message displays the reason for the failure. Contact Zscaler Support if you require further assistance.
- In progress: Connection is achieved and 3rd-Party App Governance is ingesting the relevant data. It might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. You then receive an email from Zscaler when the domain is ready for further review.
- Success: The integration is completed successfully and the last sync time is updated.
Reconnecting Google Workspace to 3rd-Party App Governance
You might need to reconnect Google Workspace to 3rd-Party App Governance if an error is displayed (e.g., Grant Expired). To reconnect Google Workspace to 3rd-Party App Governance:
- Click Google Workspace in the Integrations window to expand and view the list of added domains.
- Click the Reconnect icon next to the relevant domain.
A confirmation window appears.
- Click Confirm to continue.
A consent window appears. After consent is granted, the connection is updated.
Deleting a Google Workspace Connection
You can delete a Google Workspace connection to 3rd-Party App Governance. To delete a Google Workspace connection:
- Click Google Workspace in the Integrations window to expand and view the list of added domains.
- Click the Delete icon next to the relevant domain.
A confirmation window appears.
- Click Confirm to continue.
The connection is successfully deleted.
Permissions and Data Collected
The following table lists the permissions and data collected after integration.
Which permissions do we use? | What data do we get? |
View audit reports for your G Suite domain
| Admin, Token, and Login activity audit reports |
View usage reports for your G Suite domain
| Login activity reports |
View groups in your domain
| A list of groups in your Google domain |
See info about users in your domain
| A list of users in your Google domain |
View data access permissions for users in your domain
| OAuth grants your users issued to 3rd-party applications |
Troubleshooting
The error message This app is blocked appears when connecting 3rd-Party App Governance to your Google Workspace.
- In the Google Admin Console, go to Security > API Controls.
Google Administrative privileges are required for accessing the Google Admin Console.
- Under App Access Control, select Manage Third-Party App Access.
- Click Configure a new app.
- Enter the following client ID:
1017448667100-p63ee1484o66sdnfreusoafl8hp9oci5.apps.googleusercontent.com - Make sure Trusted: can access all Google services is selected, and then click Configure.
- Go back to the 3rd-Party App Governance Connect page and connect to Google Workspace again.