Skip to main content
Skip table of contents

Configure Google Workspace

Prerequisites

The Google Workspace Admin SDK Reports API has several prerequisites, which can be found in the Google Admin SDK Documentation. Most importantly, for access to the Google Admin Console, you need:

  • A Super Administrator account to enable API Access; and

  • An admin account with the Reports Administrator privilege to create and grant permission to the application.

The following Google documentation can assist you with the process of configuring the Google Workspace portal in preparation for connecting to the Open Collector:

Create a Google Cloud Project

Configure OAuth Consent

Create Access Credentials

Using OAuth2 to Access Google APIs

Manage OAuth Clients

Create a Project

  1. Open the Google API Console: https://console.developers.google.com

  2. Open the Select a Project window, and then click New Project.

image-20260129-181753.png

If you are familiar with Google APIs and projects, you can select an existing project from the list instead.

  1. Give the project a unique name.

  2. Open the Billing account drop-down and select the account that will be billed for charges accrued by this project.

A project cannot have APIs enabled unless a billing account is attached.

  1. Open the Organization drop-list and select an organization to which this project will be attached.

  2. Click Browse in the Parent resource bar and select the parent organization or folder where this project will be stored.

  3. Click Create.
    The project is added to your account and the Overview page displays.

  4. Click APIs and Services, and then click Library.

  5. Click Admin SDK API, and then click Enable.

image-20260226-172848.png

Depending on the logs you are trying to collect, you may also need to enable the Google Drive API.

All Login, Token, and Reports datasets are enabled by the Admin SDK API.

Configure OAuth Consent Screen

In order to connect your Google project to the Open Collector, you must give consent for OAuth verification.

This action only needs to be completed once per project.

To enable OAuth verification, from the Google API Console:

  1. With your project selected, navigate to APIs & Services, and then OAuth Consent Screen.
    The Project configuration screen opens.

  2. Create an App name (for example, Workspace Audit Beat).

  3. Enter the User support email, the email address at which users can contact you with questions about their consent.

image-20260224-235000.png

  1. Click Next.

  2. For user type, select Internal, and then click Next.

image-20260224-235037.png

  1. Enter one or more Contact email(s), the email address(es) at which Google will notify you about changes to your project.

image-20260226-162908.png

  1. Click Next.

  2. Click Create.
    OAuth consent is enabled for the project.

Create Credentials

  1. From the project’s Overview page, click Create OAuth Client on the right-hand side.

image-20260224-235358.png

  1. On the Create OAuth Client ID page, do the following:

    1. For Application type, select Desktop App.

    2. Enter a Name, such as "lr-gsbeat."

    3. Click Create.

image-20260226-162951.png

  1. The OAuth client window appears with your client ID.
    Copy the Client ID and paste it into a text editor. This will be used to configure the app in the workspace admin portal.

  2. Click the Download JSON button.

These credentials are required to Initialize the Google Workspace Beat.

image-20260226-163035.png

  1. On the left-hand side, click Data Access.

  2. Click Add or Remove Scopes.

image-20260226-163331.png

  1. Click on the Filter field, type and then select API, and then select Admin SDK API from the drop-down.

image-20260224-204811.png

  1. Click on the Filter field again, type and then select Reports, and select both of the APIs listed below:

image-20260224-235712.png

  1. Click Update.

  2. Click Save and Continue.

Enable API Access

  1. Open the Google Admin console: https://accounts.google.com/o/oauth2/auth?.

You need to be logged in as a Super Admin to perform these actions.

  1. On the home page, click Security.

image-20260226-172944.png

  1. Click API Controls.

image-20260226-173007.png

  1. Click Manage Third-Party App Access.

image-20260226-173029.png

  1. Click on Add app, and select OAuth App Name or Client ID.

image-20260226-173054.png

  1. Paste the Client ID copied in the Create Credentials section, and click Search.

image-20260226-173115.png

  1. Select OAuth Client ID and the client ID you pasted, then click Select. 

image-20260226-173138.png

  1. Select the Trusted: Can access all Google services option, and then click Configure.

image-20260226-173156.png

  1.  Your app is configured to be used, and you can now Initialize the Google Workspace Beat.

(Optional.) Domain-Wide Delegation Using a Service Account

In certain situations (for example, when using the Elastic Fleet or Filebeat Google Workspace Module), it may be required to use a service account instead of OAuth verification.

In this situation:

  1. Create a Service Account in the Google Workspace Console.

  2. Enable Domain-wide Delegation on the service account.

  3. Click Security, and then click API Controls.

  4. Add the Client ID and OAuth Scopes.

Complete instructions for this process can be found in the Google Workspace Documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close