Skip to main content

Configure Google Workspace connector

The Snow Integration Connector for Google Workspace is used to determine the number of registered Workspace users.

The configuration must be started and prepared according to SaaS connector configuration.


A Google Workspace Team account with the following permissions set is required:

  • Admin console privileges > Reports

  • Admin API privileges > Users > Read

Set up a Workspace app

  1. Go to the Workspace admin console on

  2. To sign in to the console:

    1. Select Admin console.

    2. Select or enter your Workspace Team account email address.

    3. Enter your password for the Workspace Team account.

    4. Select Next.

    The Workspace dashboard appears.

  3. Go to Security > API controls.


    API controls may be named App access control.

  4. Select Trust internal, domain-owned apps.

  5. Select Save.

  6. To verify the domain ownership inside Workspace:

    1. On the dashboard, select Verify domain.

    2. On the Add a meta tag to your homepage, copy the Meta tag value to the homepage of your website, and then select I have added the meta tag to my homepage.

    3. Select Verify. A message will be displayed saying if the website was successfully verified.

  7. Go to and create a project.

  8. Select the project and enable Admin SDK from the API library.

  9. Go to the OAuth consent screen page in your project:

    1. For User type, select Internal, and then CREATE.

      The OAuth consent screen page appears.

    2. For Application Type, select Internal.

    3. Add Application Name.

    4. Select Add scope.

    5. On the Add scope, select the /auth/ and auth/admin.reports.usage.readonly scopes.

    6. Select Add.

    7. Select Save.

  10. Go to the Credentials page in your project.

    1. Select + Create credentials.

    2. Select OAuth Client ID.

      The OAuth Client ID page appears.

    3. On the OAuth Client ID, in Application Type, select Web application.

    4. Enter the Name of the app.

    5. In the Authorized redirect URIs section, select + Add Uri.

    6. In URIs, enter http://localhost:8080.

    7. Select Create.

      Your Client ID and Your Client Secret are displayed in the OAuth client created window. Save these values as they are used when configuring the Client ID and Client Secret in the connector.

    8. Select OK.


In the Configure Google Workspace section at the bottom of Connector Configuration: SaaS, follow the steps as given below.

  1. In Client ID, enter the value for the Client ID of the created app in Set up a Workspace app.

  2. In Client Secret, enter the value for Client Secret of the created app in Set up a Workspace app.

  3. In Redirect URI, enter the value for a redirect uri.


    The redirect URI can for example be http://localhost:8080 if it is not used by another application.

  4. In Domain name, enter the address of the Workspace connected website.

    Example 7.


    The address of the Workspace connected website should not contain protocol name or www. Examples of invalid entries include:




  5. Select Get URI. The All good dialog appears.

  6. Authenticate and generate the URI for the URI from browser

    1. In the All good dialog, select OK.

    2. On the default browser that opens, enter the credentials for your Workspace Team account and select Next.

    3. Select Allow.

      A uri appears in the browser address field.

  7. Enter the uri in the URI from browser.

  8. Select Get token. A message saying that the token is successfully acquired appears.

  9. To check whether the connection can be established, select Test Connection.

  10. If the connection cannot be established, verify that the connector has been configured according to Step 1 to Step 8.

  11. To allow the data to be aggregated, select Active.

  12. Select Save.


Version 5.8 of Snow Integration Manager fetches only last login time for the Google Workspace accounts. The last login time is set as the last activity time for Google Workspace account users. However, if the user is using a POP or IMAP email client, and actively using Gmail, then the last login time will not be tracked in Snow Integration Manager 5.8. Therefore, active users can be flagged as inactive if they do not log in to the Google Workspace website.

Snow Integration Manager 5.9, and later versions, fetches last email interaction time for Google Workspace users which provides more accurate data. However, a token acquired in Snow Integration Manager 5.8 does not provide enough permission to fetch email activity report. This can be a problem if the Snow Integration Manager user has scheduled a Google Workspace aggregation using Snow Integration Manager 5.8 and upgraded to Snow Integration Manager 5.9 before the aggregation starts. To solve this, perform Step 5 to Step 9 to fetch a new token. The new token will have enough permissions to fetch the email usage report.