Skip to main content
Select Actions to adjust the guide
Some actions may require additional configuration in the provider to be accessible. Choose the actions you need and the guide will be updated.
Action
Scope(s)
Loading actions…
Dynamic Guide URL
Scopes Selected
Separator
Super Admin or Admin privileges in Google Workspace are required to complete this setup.

Create or select a Google Cloud project

To use Admin SDK API with OAuth 2.0, you need a Google Cloud project.

1

Sign in to Google Cloud

Sign in to your Google Cloud Console.

2

Create or select a project

Select an existing project from the dropdown at the top of the page, or create a new one by clicking New Project and filling in the Project name, Organization, and Parent resource fields, then clicking Create.

Enable the Admin SDK API

Enable the Admin SDK API for your project. This step is required whether you created a new project or selected an existing one.

1

Open the API Library

In the Google Cloud Console, navigate to APIs & Services > Library.

2

Enable Admin SDK API

Search for “Admin SDK API”, click on it.

  • New project: Click Enable to activate the API.
  • Existing project: If the API is already enabled, the button will show Manage. If it shows Enable, click it to enable the API.

Configure Google Auth Platform

Before creating OAuth credentials, ensure Google Auth Platform is configured.

1

Navigate to Google Auth Platform

In the Google Cloud Console, go to APIs & Services > OAuth consent screen. This will open the Google Auth Platform dashboard.

2

Start configuration

If you have already configured Auth Platform (the OAuth Overview page with usage metrics is shown), skip this step and navigate to the Branding page from the sidebar. Otherwise, you will see a Get started button — click it to begin the configuration process.

3

Enter app information

Fill in the required fields for your application.

  • App name: Enter a name for your application (e.g., StackOne Integration).
  • User support email: Select an email for user inquiries.
  • Click Next to continue.
4

Select audience

Choose the appropriate user type for your application.

  • Internal: Only users within your Google Workspace organization can authorize (no app verification required).
  • External: Any Google account can authorize (requires app verification for production use).
  • Click Next to continue.
5

Enter contact information

Provide email addresses for Google to notify you about any changes to your project. Click Next to continue.

6

Finish configuration

Review your settings, agree to the Google API Services User Data Policy, and click Create to complete the setup.

Configure scopes

In Google Auth Platform, go to Data Access and click Add or Remove Scopes to configure the OAuth scopes your application needs.

1

Add scopes

Enables actions: Add Member To Group, Check Member Existence, Create Domain, Create Group, Create Organizational Unit, Create User, Delete Domain, Delete Group, Delete Organizational Unit, Delete User, Get Domain, Get Group, Get Member, Get Organizational Unit, Get Unified Group, Get Unified Organization, Get Unified Role, Get Unified User, Get User, List Domains, List Groups, List Members, List Organizational Units, List Unified Groups, List Unified Organizations, List Unified Resource Types, List Unified Resource Users, List Unified Roles, List Unified Users, List Users, Patch Group, Patch Member, Patch Organizational Unit, Patch User, Remove Member From Group, Update Group, Update Member, Update Organizational Unit, Update User

Add scopes based on the Google Directory resources you need to access. Each resource has a read-write scope for full management and a read-only scope for read-only access.

  • User management (list, get, create, update, delete users): https://www.googleapis.com/auth/admin.directory.user or admin.directory.user.readonly for read-only
  • Group management (list, get, create, update, delete groups): https://www.googleapis.com/auth/admin.directory.group or admin.directory.group.readonly for read-only
  • Organizational unit management (list, get, create, update, delete org units): https://www.googleapis.com/auth/admin.directory.orgunit or admin.directory.orgunit.readonly for read-only
  • Domain management (list, get domains): https://www.googleapis.com/auth/admin.directory.domain or admin.directory.domain.readonly for read-only
  • Connection identity (unified_get_me): https://www.googleapis.com/auth/userinfo.email — populates the email/name on the IAM credentials record. Without this scope the name field is null.
2

Select scopes from the list

In the Update selected scopes side panel that opens, check the required scopes from the list.

3

Manually add scopes (if needed)

If a required scope is not shown in the list, use the Manually add scopes section.

  • Enter the full scope URL in the input field.
  • Click Add to table.
4

Apply and save

Confirm and persist your scope configuration.

  • Click Update to apply the selected scopes. The side panel will close.
  • On the Data Access page, click Save to persist the scope configuration.
5

Understand admin privilege requirements

Adding the correct OAuth scope is necessary but not sufficient for user management actions. If you receive a 403 Forbidden error when running actions such as listing or getting users, this indicates the Google account used to authorize the connection does not have the required admin role in Google Workspace.

The Google Directory API requires the authenticated account to have Super Admin or an appropriate Delegated Admin role in your Google Workspace organization. To resolve this, ensure the account used to connect is assigned the Super Admin role or the relevant delegated admin privilege in the Google Admin Console.

Create OAuth 2.0 client credentials

Set up OAuth client credentials to authenticate with Admin SDK API. If you already have an existing OAuth 2.0 client, you can reuse it by adding the StackOne redirect URI and generating a new secret.

1

Navigate to Credentials

In the Google Cloud Console, go to APIs & Services > Credentials.

2

Option A — Create a new OAuth client

Skip this step if you are using an existing client.

  • Click + Create Credentials and select OAuth client ID.
  • Select Web application as the application type.
  • Enter a Name for your OAuth client (e.g., StackOne Directory Integration).
  • Under Authorized redirect URIs, click Add URI and enter https://api.stackone.com/connect/oauth2/googledirectory/callback.
  • Click Create. A dialog will display your Client ID and Client Secret — copy and store them securely.
3

Option B — Use an existing OAuth client

Skip this step if you created a new client above.

  • Click on your existing OAuth 2.0 client ID from the list.
  • Under Authorized redirect URIs, click Add URI, enter https://api.stackone.com/connect/oauth2/googledirectory/callback, and click Save.
  • Under Client secrets, click + Add secret to generate a new secret. Copy it and store it securely — it will not be shown again.
  • Your Client ID is shown on the same page under Additional information.

Creating the StackOne Connector Profile

To create the Connector Profile in StackOne for Google Directory:
1

Navigate to Connector Profiles

Login to StackOne and navigate to Connector Profiles
2

Create New Connector Profile

  • Click + Connector Profile
  • Search for and select Google Directory
  • Select Type as OAuth 2.0
  • Fill out the fields using details retrieved from your provider:
    • Client ID
    • Client Secret
    • Scopes (Optional)
  • (Optional) Select Actions to be enabled for this Connector Profile
  • Click Create profile
Congratulations! The new Connector Profile will now show up in your project ready to be used. You can now continue to Link Accounts for Google Directory.