General Setup

You will need to provide the following to Moveworks.

• A Service Account JSON file associated with a Google Cloud Platform Project that has been assigned the group admin role and has access to your tenant
• Customer ID from your Google Admin Console

Please provide the Service Account JSON file to your Moveworks Customer Success team via encrypted email.

Create GCP Project & Assign APIs

Before you begin the configuration, please ensure you have the administrative privileges for the Google Cloud Platform in your organization.

1. Create a GCP Project
   1. Start by navigating to https://console.developers.google.com/apis/dashboard in your browser.
      
      
   2. Under your organization space, create a new project and name it “Moveworks”.
      
2. Identify the APIs you need to enable
   • Admin SDK API
   • Groups Settings API
   • Admin SDK Reports API
3. Enable APIS for your GCP Project
   1. Navigate to the API Library & Enter the name of the APIs you want to activate
      
   2. Click Enable
      
4. Create a Service Account
   1. Navigate to APIs & Services > Credentials
      
   2. Select Create Credentials > Service Account
      
   3. Create the Service account by adding the name, ID and description and select Create and Continue - Note: Granting access to a project or Granting users access to this service account is optional
      
   4. Click on Actions > Manage keys
      
   5. Select Add Key > Create new key
      
   6. Select JSON as the Key type and click Create. You should see a notification that the service account JSON file has been downloaded and saved to your computer.
      
      
   7. Share this JSON file via secure encrypted email with your Customer Success Team

Fetching Customer ID:

1. Sign into your Google Admin console
2. In your admin console, go to Menu > Account > Account Settings > Profile
3. Share the Customer ID with your Customer Success Team

Grant OAuth Scopes

This step grants the Service Account explicit permission (OAuth Scopes) to access and manage data across your domain using the enabled APIs.

Get Client ID:

1. Navigate back to the Service Account details in the GCP Console (APIs & Services > Credentials).
2. Find and copy the Unique ID of the Service Account (often labeled as "Client ID" in DWD steps).
3. Navigate to DWD Settings:
4. Sign into your Google Admin console using a Super Admin account.
5. Go to Menu > Security > Access and data control > API controls.
6. Under the Domain-wide Delegation pane, click Manage Domain Wide Delegation.
7. Add/Edit Client Access:
8. Click Add new.
9. In the Client ID field, paste the Unique ID you copied from the Service Account.
10. In the OAuth scopes (comma-delimited) field, enter the full, comma-separated list of required scopes enumerated in detail below.

Required Google Workspace API Scopes for Group and User Management

The following OAuth 2.0 scopes must be authorized via Domain-Wide Delegation (DWD) to ensure your Service Account can perform group creation, modification, membership changes, and read necessary directory and audit data. These scopes are mandatory for administrative actions.

(https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.reports.audit.readonly)

Scope List Summary (Reference)

11. Click Authorize.

Assigning Google Admin role to the service account:

1. Sign into your Google Admin console
2. In your admin console, go to Menu > Account > Admin roles
3. Find the Group Admin role, select the role and click Assign admin
4. Select Assign service accounts
5. Enter the email address of the service account
6. Click Add > Assign role
7. Once complete, app should be visible in app list

   📘

   You will see the Group admin role applied to the service account in your Admin audit log. Additionally, all actions taken by the Service Account will be shown in your Admin audit log.