Configuring G Suite for Directory Synchronization

Document created by user.oxriBv5dM7 Employee on Nov 13, 2017Last modified by user.oxriBaJeN4 on Dec 18, 2018
Version 13Show Document
  • View in full screen mode

Only the "Email Address" and "Full Name" attributes are synchronized by default. Other attributes must be configured in the G Suite and Mimecast Administration Consoles first. Once a directory synchronization completes successfully, these attributes are displayed in Mimecast. The only attributes we can’t support are multi-valued attributes.

To configure a directory synchronization connection for Google G Suite, you must perform the following tasks:

  • Configure the Google Administration Console. You'll need a Super Administrator logon.
  • Enable the Admin SDK. You'll need access to the API Console.
  • Create a Service Account.
  • Authorize the Service Account's Client Id.
Once you've completed these steps, you'll also need to configure the Mimecast Administration Console. See the Administration Console: Configuring Directory Synchronization for G Suite page for full details.

Google Administration Console Configuration


To configure the Google Administration Console:

  1. Log on to the Google Admin Console.
  2. Enable API Access. See the Enabling API Access in the Admin Console page of the G Suite administrator help for full details.
  3. Create a User. See the Adding Users Individually page of the G Suite administrator help for full details.
  4. Make a note of the User's Email Address. This is needed when creating a directory connector in Mimecast (see below).
  5. Create a Custom Administrator Role with "Read" access to the areas listed below. See the Creating Custom Administrator Roles page of the G Suite administrator help for full details.
    • Organization Units
    • Users
    • Groups
  6. Add the User created in step 3 to the Role created in step 5. See the Assigning Administrator Roles to a User page of the G Suite administrator help for full details.


Enabling the Admin SDKEnabling the Admin SDK


To enable the admin SDK from the Google API console:

  1. Log on to the Google API Console.
  2. Create a Project. See the Creating a Project page in the G Suite Activity API technical documentation for further details.
  3. If the APIs & Services dialog isn't already open:
    1. Display the console's left hand menu if it isn't already displayed.
    2. Click on the APIs & Services menu item.
    3. Click on the Library menu item.
  4. Click on the G Suite category on the left hand side to filter the list of available APIs.
  5. Click on Admin SDK.
  6. Click the Enable button, if not enabled.


G Suite Service AccountCreating a Service Account

To create a service account from the Google API console:

  1. Log on to the Google API Console.
  2. Display the console's left hand menu if it isn't already displayed.
  3. Click on the Credentials menu item.
  4. Click on the Create Credentials tab. A drop down is displayed.
  5. Click on the Service Account Key menu item.
  6. Select New Service Account from the "Service Account" drop down.
  7. Complete the dialog as follows:
    Field / OptionValue
    Service Account NameSpecify a name to identify the service account (e.g. Mimecast Directory Synchronization).
    RoleSelect the "Service Account | Service Account User" role from the drop down list.
    Service Account IdThis field is automatically populated using the project name and service account name.
    Key TypeSelect the "JSON" option.
  8. JSON FileClick on the Create button. A .JSON file is automatically downloaded to your browser's download folder. The file has a name of the project name and the key id (e.g. <projectname) - <keyid>.json). 
  9. Save the .JSON File in a secure place.
  10. Click on the Close button.
  11. Click on the Manage Service Accounts link in the right hand corner of the "Service Account Keys" section.
  12. Navigate to the Service Account you've created.
    Managing Service Account
  13. Click on the More Icon icon. A drop down menu is displayed.
  14. Click on the Edit menu item. The Edit Service Account dialog is displayed.
  15. Select the Enable G Suite Domain-Wide Delegation option.
  16. Click on the Save button. You're returned to your Service Account list.
  17. Click on the View Client ID button under the "Options" column.
  18. Make a note of the Client ID as this is required in the next step.


Authorizing the Service Account's Client ID


To authorize the service account's client id:

Read the Authorizing GSMME for Your Domain page of the G Suite Administrator Help in conjunction with this step.
  1. Log on to the Google Admin Console.
  2. Click on the Security menu item.
  3. Click on the Advanced Settings option.
  4. Click on the Manage API Client Access option in the "Authentication" section.
  5. Enter your service account's Client ID in the "Client Name" field.
  6. Specify the following in the One or More API Scopes field in a comma separated list:
  7. Click on the Authorize button.
  8. Sign out of the Google Admin Console.


See Also...


1 person found this helpful