Overview
The Google Workspace integration monitors your organization’s user directory, MFA enrollment, security settings, admin activity, and managed devices. LowerPlane uses read-only OAuth access and connects via the Google Admin SDK.Authentication
Google Workspace uses OAuth 2.0. You must sign in with a Super Admin account to authorize LowerPlane.Required Permissions (OAuth Scopes)
| Scope | What It Grants | Why LowerPlane Needs It |
|---|---|---|
admin.directory.user.readonly | Read user profiles and status | List all users for access reviews, MFA checks, and offboarding verification |
admin.directory.group.readonly | Read group memberships | Map users to groups for access certification |
admin.directory.orgunit.readonly | Read organizational units | Understand org structure for scoped policies |
admin.directory.rolemanagement.readonly | Read admin roles | Identify privileged accounts for elevated access monitoring |
admin.directory.domain.readonly | Read domain settings | Verify domain-level security configurations |
admin.directory.device.chromeos.readonly | Read Chrome OS devices | Inventory Chrome OS devices for endpoint compliance |
admin.directory.device.mobile.readonly | Read mobile devices | Inventory managed mobile devices |
admin.reports.audit.readonly | Read admin audit logs | Collect admin activity events for audit trail |
admin.reports.usage.readonly | Read usage reports | Monitor login activity and service usage patterns |
What LowerPlane Collects
User Directory
All users with profile data: name, email, department, title, status, creation date, last login, and organizational unit.
MFA / 2-Step Verification
Per-user 2-step verification enrollment status. Whether each user has enrolled in 2SV and what factors they use.
Groups & Roles
Group memberships and admin role assignments for access review campaigns and privileged access monitoring.
Admin Audit Logs
Administrative actions from the Google Admin Console: user creation, suspension, password resets, group changes, and security setting modifications.
Managed Devices
Chrome OS and mobile devices enrolled in Google endpoint management with compliance status.
Domain Settings
Domain-level security configurations including 2SV enforcement policy.
Security Tests
LowerPlane runs automated tests against your Google Workspace organization:| Test | Severity | Applies To | Description |
|---|---|---|---|
| 2-Step Verification Enforced | Critical | Organization | Verifies org-wide 2SV enforcement is enabled so all users must enroll |
| User MFA Enrolled | Critical | Each user | Checks each active user has completed 2-step verification enrollment |
| Inactive User Accounts | Medium | Each user | Flags accounts with no sign-in activity in the last 90 days |
| Offboarded User Access Removed | Critical | Each user | Confirms suspended/deleted users match terminated employees |
Cross-IdP MFA Passthrough
When Google Workspace enforces 2-step verification at the organization level, LowerPlane automatically passes MFA-related tests for downstream services authenticated via Google SSO.Connecting
Navigate to Integrations
Go to Settings > Integrations and find Google Workspace under Identity Providers.
Authorize with Super Admin
Sign in with a Google Workspace Super Admin account. Review the requested permissions and click Allow. Standard admin accounts may not have sufficient privileges.
Evidence Artifacts
| Artifact | Description | Frameworks |
|---|---|---|
| User Directory | Complete user inventory with status and last login | SOC 2, ISO 27001, HIPAA, GDPR |
| 2SV Enrollment Status | Per-user MFA enrollment for access control evidence | SOC 2, ISO 27001, HIPAA, PCI-DSS |
| Group Memberships | User-to-group mapping for access review | SOC 2, ISO 27001 |
| Admin Audit Logs | Administrative actions for change management evidence | SOC 2, ISO 27001, HIPAA |
| Managed Devices | Endpoint inventory with compliance status | SOC 2, ISO 27001 |
Data Access
| Data Type | Access |
|---|---|
| User profiles and status | Read |
| 2-Step Verification enrollment | Read |
| Group memberships | Read |
| Admin audit logs | Read |
| Chrome OS and mobile devices | Read |
| Email contents | No access |
| Google Drive files | No access |
| Calendar events | No access |
| Chat messages | No access |
Troubleshooting
Authorization fails with 'insufficient permissions'
Authorization fails with 'insufficient permissions'
User count is lower than expected
User count is lower than expected
LowerPlane syncs users from all organizational units by default. Check if some OUs are suspended or if certain users are in a different Google Workspace instance.
2SV status shows unenrolled but users have MFA
2SV status shows unenrolled but users have MFA
Google’s Admin SDK reports 2SV enrollment status from the directory, not from individual sign-in sessions. If 2SV enforcement was recently enabled, users may not appear as enrolled until they complete the enrollment flow.
Admin logs are empty
Admin logs are empty
Admin audit logs require at least a Google Workspace Business or Enterprise subscription. Google Workspace Essentials may not include audit log API access.