>
    Strata Copilot
    Onboard a Google Workspace App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Google Workspace App to SSPM
    Download PDF
    SaaS Security

    Onboard a Google Workspace App to SSPM

    Table of Contents

    Onboard a Google Workspace App to SSPM

    Connect a Google Workspace instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    Palo Alto Networks use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. For more information on how information may be captured, processed, and stored by and within the service, refer to the SaaS Security Privacy document. SSPM does not share your data with third-party tools, such as AI applications.
    For SSPM to detect posture risks in a Google Workspace organizational unit, you must onboard your Google Workspace instance to SSPM. SSPM gets access to your Google Workspace instance through OAuth 2.0 authorization. During the onboarding process, you're prompted to log in to Google Workspace and to grant SSPM the access it requires. After connecting to the Google Workspace API, SSPM scans your Google Workspace organizational unit for misconfigured settings and account risks. If users have extended Google Workspace by installing third-party apps, SSPM can also detect the third-party apps and the scopes that they can access. This information helps you determine the risks posed by third-party apps so you can take action as needed.
    To onboard your Google Workspace instance, you complete the following actions:
    1. Identify the account that SSPM will use to access your Google Workspace instance.
      When you're onboarding Google Workspace, SSPM gives you an option to connect with read-only permissions or with read and write permissions. The onboarding screen lists the API scopes that SSPM requires for each type of scan that it can run. The onboarding screen also lists the API scopes that SSPM requires to perform certain actions on your behalf. After establishing a connection, SSPM will notify you if it's unable to run certain scans, or complete certain actions, because the account did not have the permissions to grant access to certain scopes.
      Onboarding Google Workspace with read-only permissions will enable SSPM to perform configuration and identity scans. Connecting with read and write permissions enables additional SSPM features, including third-part application scans and the ability to revoke a user's access to a third-party plugin.
      Permissions for Read Access: To grant SSPM reduced permissions to perform scans only, the account must be assigned to an admin role that has certain privileges to the Admin console. To log in with a user account that has only the minimum privileges required, create a custom role that has access to only the required privileges, and assign that custom role to the user account.
      After you have assigned the custom role to the user account in the Google Workspace Admin Console, you must also assign identity and access management (IAM) roles to the user account in the Google Cloud Console.
      1. Use the Google Workspace Admin Console to create the custom role.
        1. From the Google Workspace Admin Console menu, select AccountAdmin roles.
        2. Create new role.
        3. Enter a name for the role and CONTINUE.
        4. Under the list of Admin Console Privileges, select the following privileges and CONTINUE.
          • Users: Read
          • Organization Units: Read
          • Reports
        5. Create Role.
      2. Use the Google Workspace Admin Console to assign the custom role to the user account.
        1. From the Admin roles page (AccountAdmin roles), open the custom role.
        2. Click Assign users.
        3. Use the search field to find and select the user account.
        4. Click Assign Role.
      3. Use the Google Cloud Console to assign the following predefined IAM roles to the user account.
        These IAM roles will give the user account read-only access to your organization's cloud assets and log files. You can add these IAM roles at the organization level, or limit the account's access to individual folders or projects.
        • Cloud Asset Viewer
        • Logs Viewer
      Permissions for Read and Write Access: To grant SSPM full read and write access to perform all of its scans and actions, the account must be assigned to the Super Admin role.
    2. Identify the Google Workspace organizational unit to scan.
      An organizational unit is a grouping of users with common settings. During onboarding, you're prompted for the name of the organizational unit for SSPM to scan. If you want to scan multiple organizational units, you can onboard each one separately. To view the organizational units in your Google Workspace instance, from the Google Admin console, select DirectoryOrganizational Units.
    3. Sign out of all Google Workspace accounts.
      Signing out of all Google Workspace accounts helps ensure that you sign in under the correct account during the onboarding process. Some browsers can automatically sign you in by using saved credentials. To ensure that the browser does not automatically sign you in to the wrong account, you can turn off any automatic sign-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    4. Connect SSPM to your Google Workspace instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Google Workspace instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Google Workspace tile.
      3. On the Posture Security tab, Add New instance.
      4. OAuth 2.0.
      5. Specify your Organization Unit Name in the field provided.
      6. Specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions.
        The onboarding page lists the API scopes that SSPM will access to complete its various scans and to perform remediation.
      7. Connect with Google Workspace.
        SSPM redirects you to the Google Workspace login page.
      8. Log in to the Google Workspace account.
        Google Workspace displays a consent form that details the access permissions that SSPM requires.
      9. Review the consent form and allow the requested permissions.
        SSPM connects to your Google Workspace instance, and displays whether it was able to access the API scopes that it requires for its scans. If SSPM is unable to access the necessary scopes, it indicates which scan types or actions it will not be able to perform.

    © 2026 Palo Alto Networks, Inc. All rights reserved.