>
    Strata Copilot
    Onboard a Google Analytics App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Google Analytics App to SSPM
    Download PDF
    SaaS Security

    Onboard a Google Analytics App to SSPM

    Table of Contents

    Onboard a Google Analytics App to SSPM

    Connect a Google Analytics instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your Google Analytics instance, you must onboard your Google Analytics instance to SSPM. SSPM gets access to your Google Analytics instance through OAuth 2.0 authorization. Through this onboarding process, SSPM connects to a Google Analytics API and, through the API, scans your Google Analytics instance for misconfigured settings and account risks.
    The supported Google Analytics account plan for SSPM scans is the premium plan, Google Analytics 360.
    To onboard your Google Analytics instance, you complete the following actions:
    1. Identify the Google Analytics account that you will use to log in to Google Analytics during onboarding.
      During the onboarding process, SSPM will redirect you to log in to Google Analytics. After you log in, Google Analytics will prompt you to grant SSPM the access it needs.
      Required Permissions. SSPM supports configuration scans for misconfigured settings and identity scans to detect account risks. The account that you use to onboard Google Analytics must have permission to grant SSPM access to the following scopes:
      ScopeRequired for Scans
      analytics.manage.users.readonly
      		Configuration and Identity Scans
      analytics.readonly
      		Configuration and Identity Scans
      admin.directory.user.readonly
      		Identity Scans
      admin.reports.audit.readonly
      		Identity Scans
      SSPM will use this account to establish a connection to your Google Analytics instance. After SSPM establishes the connection, it will perform an initial scan of your Google Analytics instance, and will then run scans at regular intervals. The account that you use to establish the initial connection with SSPM must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, or change the account's password, the scans will fail and you will need to onboard Google Analytics again.
    2. Log out of all Google Analytics accounts.
      Logging out of all Google Analytics accounts helps ensure that you log in under the correct account during the onboarding process. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic login option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening SSPM in an incognito window.
    3. Connect SSPM to your Google Analytics instance.
      By adding a Google Analytics app in SSPM, you enable SSPM to connect to your Google Analytics instance. You must consent to specific permissions when adding the Google Analytics app.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Google Analytics tile.
      3. On the Posture Security tab, Add New instance.
      4. Choose the option to Log in with Credentials.
      5. Connect
        SSPM redirects you to the Google Analytics login page.
      6. Log in to your Google Analytics account.
        Google Analytics displays a consent form that details the access permissions that SSPM requires.
      7. Review the consent form and allow the requested permissions.

    © 2026 Palo Alto Networks, Inc. All rights reserved.