Begin Scanning Third-Party Apps on the G Suite Marketplace

Enable Prisma SaaS to discover third-party apps that your users attempt to install from G Suite Marketplace.
Prisma SaaS can discover third-party apps that your users attempt to install from G Suite Marketplace. To protect your application ecosystem from unsanctioned third-party apps, enable Prisma SaaS to scan for them by adding the G Suite Marketplace app. Afterward, you can remediate the risks.
explore-third-party-apps.png
To connect G Suite Marketplace app to Prisma SaaS and begin scanning assets, you need to:
  • Create a service account from Google Cloud Console.
  • Enable Administrator and client API access from Google Admin Console.
For information on automated remediation capabilities with G Suite Marketplace, refer to Remediate Third-Party Apps.

Add G Suite Marketplace App

As you prepare the G Suite account, take note of the following values, as they are required to complete the setup of the G Suite Marketplace app on Prisma SaaS:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the G Suite Marketplace app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling G Suite domain-wide delegation, and on Prisma SaaS when adding the G Suite Marketplace app.
Google Administrator account
The email entered to create a service account in G Suite Marketplace, and on Prisma SaaS when adding the G Suite Marketplace app. This administrator account must have Super Admin role permissions.
  1. Create a service account from GCP.
    1. Log in to Google Cloud Console as a G Suite administrator with Super Admin role permissions.
      If you have not used the Google Cloud Console before,
      Agree
      to the Google Cloud Platform Terms of Service.
      g-suite-terms.png
    2. Create a new project from GCP.
      1. At the top of the screen, open your project list, then
        Select a project
        NEW PROJECT
        .
      2. Name your project (for example,
        Prisma SaaS G Suite
        ), select your organization (domain), then
        Create
        the project.
      g-suite-create-project.png
    3. Authorize OAuth Consent for the new project.
      1. Select
        APIs & Services
        OAuth consent screen
        .
      2. Specify
        Internal
        user type/application type.
      3. Specify an
        Application name
        (for example,
        Prisma SaaS
        ) and
        Support email
        .
        This is the name that displays on the Third-Party Apps page in Prisma SaaS.
      4. Specify
        Authorized domain
        , then
        Save
        to authorize.
      g-suite-oauth-consent.png
    4. Create the Service Account Key for the new project.
      g-suite-credentials-api-manager.png
      1. Select
        APIs & Services
        Credentials
        Service Account Key
        Create credentials
        .
      2. Specify a
        Service account name
        (for example,
        Prisma SaaS
        ).
      3. Select
        P12
        as the
        Key Type
        , then
        Create
        Create Without Role
        .
        g-suite-service-account-key.png
        After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
        g-suite-private-key-download.png
      4. Store the default password and key to a secure location as the key cannot be recovered if lost.
      Prisma SaaS requires this key when you add the G Suite Marketplace app in 4.
    5. Enable Domain-wide Delegation for the new service account.
      GCP creates a service account client when domain-wide delegation is enabled on a service account.
      1. Select
        APIs & Services
        Credentials
        Manage service accounts
        .
      2. Locate the service account, then
        Actions
        Edit
        .
      3. Select
        Enable G Suite Domain-wide Delegation
        , then
        Save
        your changes .
      g-suite-service-account-manage.png
    6. Retrieve and save the Client ID for the new service account client.
      1. Select
        APIs & Services
        Credentials
        Manage service accounts
        .
      2. In OAuth 2.0 client IDs, copy and save the
        Client ID
        .
      g-suite-clientID-copy.png
  2. Enable API Access in G Suite Marketplace from the new service account.
    1. Select
      APIs & Services
      Dashboard
      ENABLE APIS AND SERVICES
      .
    2. Search for and
      Enable
      three APIs:
      • Google Drive API
      • Admin SDK
      • Audit API
      g-suite-enable-apis.png
  3. Enable API Client access to G Suite Marketplace.
    1. Log in to Google Admin Account as the G Suite administrator with Super Admin role permissions.
    2. Select
      Security
      Advanced settings
      Managed API client access
      .
      g-suite-api-client-advanced-settings.png
    3. Specify Client ID and required scopes.
      • In
        Client Name
        , enter the
        Client ID
        that you saved in 1.f.
      • In
        One or More API Scopes
        , copy and paste the following scope, then
        Authorize
        access to data in Google services.
        https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/drive.apps.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly
      g-suite-api-client-manage-access.png
  4. Add the G Suite Marketplace app.
    1. On the Prisma SaaS
      Dashboard
      ,
      Add a Cloud App
      .
      g-suite-tile-frame.png
    2. Select
      G Suite Marketplace
      , then
      Connect to Account
      .
    3. Enter the
      Google Administrator Email
      (with Super Admin role permissions) and the
      Client ID
      that you saved in 1.f.
    4. Upload the
      P12 Certificate
      GCP issued in 1.d.iv.
    5. Click
      OK
      to add the app.
    After authentication, Prisma SaaS adds the new G Suite Marketplace app to the Cloud Apps list as
    G Suite Marketplace
    n,
    where
    n
    is the number of G Suite Marketplace app instances that you have connected to Prisma SaaS. For example, if you added one G Suite Marketplace app, the name displays as
    G Suite Marketplace 1
    . You’ll specify a descriptive name soon.
    g-suite-app-installed.png
    If you receive the following operation error, fix the issue.
    g-suite-operation-error.png
    From this point forward, keep this project exclusively for Prisma SaaS. Do not revoke, disable authorization, or change the project in any way. If you do, Prisma SaaS stops scanning.
    g-suite-revoke-access.png
  5. (
    Optional
    ) Give a descriptive name to this app instance.
    1. Select the
      G Suite Marketplace
       
      n
      link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      to differentiate this instance of G Suite Marketplace from other instances.
    3. Click
      Done
      to save your changes.
  6. Start Scanning
    to begin discovery.
    g-suite-start-scan.png
  7. During the discovery phase, Prisma SaaS scans for third party apps and the users that are using them. Even in the unusual case that none of your end users have installed a third party app, Prisma SaaS still displays:
    • G Suite Administrator as a
      Top User
      .
    • G Suite as one of the
      Unclassified
      third party apps. You can
      Approve
      it, but you cannot
      Block
      it.
    g-suite-confirm.png
    View the results of third party app discovery, then:

Fix G Suite Marketplace Issues

The most common or most important issues related to adding a G Suite Marketplace app are as follows:
Symptom
Explanation
Solution
When you add the G Suite Marketplace app in Prisma SaaS, you receive an operation error:
Unable to perform this operation
.
Prisma SaaS requires that the combo (client ID, email, and key) be accurate.
If any one of those requirements is incorrect, Prisma SaaS cannot authenticate and displays the same error.
When Prisma SaaS returns the error, the UI displays the email and clears the sensitive fields (client ID and P12 Certificate).
Verify that all three requirements are accurate. The Google Admin account must have Super Admin role permissions. Also, make sure you’re uploading the correct key. Lastly, verify that all three APIs are enabled as outlined in 2.
Your onboarding and initial discovery went smoothly, but there appears to be a delay in subsequent discovery.
Google's APIs allows for a set amount of event updates (API calls) in a specific period. This throttling ensures maximum uptime of SaaS apps.
Prisma SaaS promptly requests event updates from Google, but this limit (quota) results in a latency in event delivery, depending on the amount of data being requested.
This latency is most noticeable when updates occur immediately after onboarding.
Wait 24 hours after onboarding before you remediate in bulk or, alternatively, configure automatic remediation. Waiting enables you to see all your data in context before you make strategic policy decisions.
Timestamps for all events remain accurate—as of the actual event.
Your onboarding and initial discovery went smoothly, but Prisma SaaS is no longer discovering third party apps that you know were installed. Prisma SaaS does not display an error and the Cloud Apps list indicates
Monitoring
.
This issue can occur when an admin unintentionally disables API access or changes the Prisma SaaS G Suite project on GCP. Prisma SaaS depends on such authorization and immediately stops working when access is revoked.
As outlined in 4, do not change the project. If you reauthenticate and Prisma SaaS cannot authenticate, the cause is likely due to a change to your project. If so, you’ll need to repeat the onboarding process.

Recommended For You