Skip to main content

Pre-requisites

Users with an existing GCP environment, it is recommended to have a new project that links to your Google Workspace via the registered domain
Admin Access to the Domain DNS Settings

Setup Google Workspace

Setting up Google Workspace involves several steps, depending on whether you create a new account or manage an existing domain.
1

Configure a New Project in GCP

GCP is hierarchical, so we must first create a project. If you already have a GCP environment set up, we recommend following similar steps below to create a new project that links to your Google Workspace via the registered domain.
  1. Go to Google Cloud Console.
    Sign in with your Google account used to set up Google Workspace.
  2. Click on the project selector (top-left dropdown near “Google Cloud”).
  3. Click “New Project” to configure the project with all the necessary details:
    • Project Name: Enter a unique name for your project (For example: AirMDR).
    • Organization & Location: Enter airmdr.com as organization and location or your organization and your location.
  4. Click Create.
    Now you have Successfully created a New Organization and Project in GCP

    Only the creator of the project has the right to manage the project.
2

Enable Admin SDK API and Google Workspace Alert center API

Our virtual agent will eventually use a GCP service account, which uses the Workspace Admin SDK to interact with the GW admin console REST API, therefore it needs to be enabled in GCP. AirMDR will only enable read access to the Reports API for this admin SDK.
  1. Go to Google Cloud Console → APIs & Services.
  2. Click Enable APIs and services in the top menu.
  3. Search for Each API:
    • Search “Admin SDK API”, click it, and click “Enable”.
    • Search “Google Workspace Alert Center API”, click it, and click “Enable”.
    • Search “Gmail API”, click it, and click “Enable”.
When finished, you will have enabled the Admin SDK API within your project, where your service account will have access to pull data from Google Workspace.
3

Configure OAuth Consent Screen in Google Cloud Platform (GCP)

  1. Go to the Google Cloud Console.
  2. Select your project.
  3. Navigate to “APIs & Services” → “OAuth consent screen” in the left-navigation pane.
  4. Click Get started.
  5. Configure App Information with the required details:
    • App Name: airmdr-agent
    • User Support Email: Provide an email for users to contact (For Example: your email address), and Click Next.
  6. Choose Audience as Internal.
  7. Provide the Developer Contact Information: (For Example: your email address), and click Next.
  8. In Finish, mark the checkbox to acknowledge and accept the terms of Google User Data Policy.
  9. Click “Create”.
    After successful configuration, we will now have a registered application using OAuth 2.0 for authorization and the consent screen information set
    The default token request limit for this app daily is 10,000 and can be increased on request.
4

Create a Service Account in Google Cloud

A service account is required for the AirMDR agent to ingest data from Google WorkspaceThis account is meant for non-human applications, allowing it to access resources in GW via the Admin SDK API we enabled earlier.
This is required to access Google Workspace APIs like Admin SDK API and Google Workspace Alert Center API.
  1. Go to Google Cloud Console → APIs & Services → Credentials → + Create credentials → Service account. Google Workspace1 Pn
  2. On the “Create Service Account” page provide the required details:
    • Service account name: airmdr-agent
    • Service account ID: airmdr-agent
    • Service account Description: Describe what this service account will do
  3. Click “Create and Continue”.
  4. Assign necessary roles to grant permissions:
    • “Service Account Token Creator”
    • “Viewer” or “Editor” (if needed for managing resources)
  5. Click “Done”. Google Workspace2 Pn
  6. Click on the newly created service account.
  7. Go to the “Keys” tab.
  8. Click “Add Key” → “Create New Key”.
Choose JSON format and click “Create”.
After successful configuration, we will now have a service account named airmdr-agent, a Service Account JSON file with the necessary credentials for this service account saved to your host.
Securely save and share the downloaded Service Account JSON file to AirMDR.

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "your-private-key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----YOUR-PRIVATE-KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "your-client-email",
  "client_id": "your-client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "your-client-x509-cert-url",
  "universe_domain": "googleapis.com"
}
By default, the Owner role will be applied to this service account based on inheritance from the project
5

Enable Domain-Wide Delegation

Only admins can perform this action.
Our service account will need domain-wide delegation of permissions to access APIs that reach outside of GCP and into Google Workspace. The important data necessary for this has already been established in earlier steps where we need an API key, service account, and OAuth client ID.
  1. Go to Google Workspace Admin Console.
  2. Navigate to Security → Access and data control → API controls.
  3. Select Manage Domain Wide Delegation → Add a new client ID and enter the required credentials: Google Workspace Pn
  4. Click “AUTHORIZE”.
    Now you have Successfully enabled Domain-wide Delegation in Google Workspace
    AirMDR requires the JSON file generated while configuring the Service Account or an email ID that has admin access to read alerts in the Alert Center UI

    AirMDR Service account in GCP only needs access to:
6

Admin Email ID Requirement

To successfully integrate Google Workspace with AirMDR, the admin_email_id parameter is required during the configuration process. This email address must correspond to a valid Google Workspace administrator account within your organization.

Purpose

The admin_email_id is used by AirMDR to:
  • Authenticate access to your Google Workspace environment.
  • Ensure authorization for retrieving security-related data and configuration settings.
  • Maintain a consistent point of contact for system alerts or integration-related events.

Guidelines

  • Use your primary business email ID that has Google Workspace Admin privileges.
  • Ensure the account has sufficient permissions to grant scopes requested by AirMDR for monitoring and automation.
  • The email ID must be actively monitored, as integration health notifications and audit-related communications may be routed to this address. Example: admin_email_id: "security-admin@yourcompany.com"
    If your organization uses service accounts for automation, the admin_email_id is still required to validate permissions and maintain traceability within audit logs.

    ✅ Summary of Retrieved Credentials

    CredentialDescription
    admin_email_idYour primary business email ID that has Google Workspace Admin privileges
    Service Account JSON fileService Account JSON file generated in step. 4
    Securely save and share the admin_email_id, and Service Account JSON file with the AirMDR support team to configure
    or
    Self configure Google Workspace in the AirMDR Integrations Dashboard.

Configure Google Workspace in AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials, and click Login.
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations. Slack24 Pn
  3. Use the search option, enter the keyword “Google Workspace”, select the Connections tab, and click the Add New Connection icon. Google Workspace7 Pn
  4. Enter the generated admin_email_id, provide the contents of the generated JSON file with Service Account credentials in the Authentication Details field params, and click Create. Google Workspace8 Pn