Google Workspace Settings
To create user accounts in Google Workspace, ADManager Plus must be able to access Google Workspace and have the necessary privileges to create accounts. For this purpose, you must configure the Google Workspace settings in ADManager Plus by providing the credentials of a Google Workspace account with the necessary administrative privileges.
To configure Google Workspace settings in ADManager Plus,
- Click the Admin tab.
- Under Custom Settings, select the Google Workspace link.
- Click the Add Google Workspace Account link located at the top right corner of the page.
- Enter the User Name (of the Google Workspace administrative account) and the Service Account Email; select the relevant P12 Key File. Click here for the steps to create a service account email and the P12 file, and also to grant domain-wide authority to the new service account.
- Select the domains to whose users Google Workspace accounts should be provisioned.
- Save the settings.
Steps to create a Service Account Email and P12 file
- Go to: https://console.developers.google.com
- Logon using your Google Workspace Administrator account credentials.
- Create a new project named ADManager Plus.
- Now, in the right pane, click 'Enable and manage APIs'.
- In the right pane, under 'Google Workspace APIs', click 'Admin SDK', and then 'Enable API'.
- In the left pane, click 'Credentials'.
- In the right pane, click 'Add credentials' and then select 'Service account key'.
- From the 'Service account' drop down menu, select 'New service account'.
- Enter name as 'ADManager Plus' and choose 'Key type' as P12 and then click 'Create'.
- Save the P12 file and then click 'close'.
- You will now be able to see the new service account that you created. Click 'Manage Service accounts'.
- The Service Account Email is the one that is mentioned in the Email address column.
- Click the three vertical dots that appear at the end of service account, and then select 'edit'. Select 'Enable Google Workspace Domain-wide Delegation', and then click 'Configure consent screen'. (If you have already configured a consent screen, click 'Create').
- If you selected 'Configure consent screen' as explained in the previous step:
a) In the OAuth Consent Screen, enter 'Product name shown to users' as 'ADManager Plus' and then click 'Save'
b) Click Save again, if 'Edit service account' information appears.
- Click 'View Client ID' under 'Options' in the created service account.
- Note the Client ID mentioned.
- Now grant 'domain-wide authority' to this Service Account, using the following steps.
- Go to the Admin console of your Google Workspace domain.
- From the list of controls displayed, select Security.
(If Security in not listed, select More controls from the gray bar which is located at the bottom of the page, and select Security.)
- Select Advanced settings from the list of options.
(Click Show More if Advanced settings is not visible)
- Select Manage API client access in the Authentication section.
- Enter the Client ID of the service account in the Client name field.
- In the One or More API Scopes field enter:
- Click Authorize.
(For more information on granting domain wide authority, please refer this document from Google.