Contact Support

Google Workspace User Provisioning

The Google Workspace native integration allows organizations to automatically sync users and groups from Google Workspace into Verkada Command. This simplifies identity management and provisioning for access control and general user onboarding.

Unlike Verkada’s SCIM integrations with Okta or Azure, this integration uses the Google Workspace Admin SDK and Reports API, authenticated through a Google service account with domain-wide delegation.

With the integration enabled, Command can:

  • Import users and groups from selected Google Workspace Groups or Organizational Units (OUs)

  • Sync them into Command as managed users and groups

  • Maintain directory accuracy with scheduled background syncs and on-demand syncs from the Admin UI

Create a Google service account

To allow Command to read user and group data from your Google Workspace domain, it must authenticate with Google’s APIs using a service account. This type of account is designed for programmatic access and must be configured with the correct API scopes and domain-wide delegation. These settings are configured in your Google Cloud console account.

Verify policies & roles

You must first verify whether your user has permissions to create a service account and to generate the service account JSON Key. To ensure you are not blocked by security policies in your tenant:

1

Go to the Google Cloud console and sign in with your Super Admin credentials.

2

In the top-left corner, open the Project Selector dropdown, and choose your top-level (Type: Organization) resource.

3

From the left-hand panel, navigate to IAM & Admin → IAM.

4

Click Grant Access under View by principals.

a. Under Add principals, enter the user’s email address. b. Under Assign roles, search for and select Organization Policy Administrator. c. Click Save.

5

From the left-hand panel, select Organization Policies.

6

In the list of policies, search for and disable the following:

Disable service account creation | Managed
Disable service account creation | Managed (Legacy)
Disable service account key creation | Managed
Disable service account key creation | Managed (Legacy)

Create a service account

1

In the Google Cloud console, in the top left, open the Project Selector dropdown.

2

Click New Project.

3

Enter a project name (for example, Verkada User Sync) and create the project.

4

Once the project is created, confirm it’s selected in the navigation bar at the top left.

5

From the left-hand sidebar, go to IAM & Admin → Service Accounts.

6

Click + Create Service Account.

7

Fill in the following fields:

  • Name: Enter a descriptive name (e.g., Verkada User Provisioning)

  • ID: Leave as-is or customize (optional)

  • Description: Add a note, such as Used by Verkada to read Workspace directory data (optional)

8

Click Create and Continue.

9

Skip the Grant Project Access step — no roles are required here.

10

Click Continue → Done.

11

From the list of service accounts, copy the OAuth 2 Client ID for the newly created account. You will need this ID later to complete your setup.

Generate a JSON key

1

From the Service Accounts list, click the account name or select the three dots next to your new service account and choose Manage keys.

2

Under the Keys tab, click Add Key → Create new key.

3

Select JSON and click Create.

4

A .json file will download to your computer. Save it in a secure location for use later when setting up the integration in Verkada Command.

This JSON file contains the credentials that the Google Workspace integration in Command uses to authenticate to Google APIs via OAuth 2.0. Keep this file secure, as it provides access to your Workspace data and should never be shared or made public.

Enable required Google APIs

Verkada Command requires access to specific Google Workspace APIs to read users, groups, domains, and audit logs. These APIs must be enabled in your Google Cloud project before the integration can function.

1

Go to the Google Cloud console, and sign in with your Super Admin credentials.

2

From the left-hand sidebar, go to APIs & Services → API Library.

3

In the search bar, find and select Admin SDK API, then click Enable.

Note: This API is required to read users, groups, and domain metadata.

4

(Optional) Search for and enable the Reports API to allow audit log monitoring and detect directory changes.

Enable Domain-wide delegation

To allow the service account to impersonate an administrator and access user and group data across your domain, you must grant it domain-wide delegation. This enables the service account to perform read operations on behalf of an admin without requiring manual re-authentication.

1

Navigate to the Google Admin Console and sign in with your Super Administrator credentials for your Google Workspace tenant.

2

From the Admin Console homepage, go to Security →Access & data control → API Controls.

3

On the API Controls page, scroll to the Domain-wide Delegation section and click Manage Domain Wide Delegation.

4

Click Add New and enter the following details:

  • Client ID: Paste the OAuth 2 Client ID for your service account key file (the client_id field in the JSON).

  • OAuth Scopes (comma-separated):

    https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
5

Click Authorize.

The new delegation entry will appear on the page, confirming that the service account can now be used by Verkada Command to query user, group, and audit data.

Set user attribute values

Before syncing users to Verkada Command, confirm that key attributes (such as first name, last name, email, and employee ID) are correctly populated in Google Workspace.

1

Sign in to the Google Admin Console using your Super Admin account.

2

Go to Directory → Users.

3

Select the user profile you want to update.

4

Click User information, then expand the relevant sections (for example, Basic information or Employee information).

5

Update the following fields as needed:

  • Primary email address

  • First name and Last name

  • Employee ID (under Employee information)

  • Phone number (under Contact information)

6

Click Save to apply your changes.

The following attributes can be synced from Google Workspace to Verkada Command:

Google Workspace Attribute Name

Command Field

Email

Email

First name

First Name

Last name

Last Name

Department

Department

Cost center

Department ID

Employee ID

Employee ID

Job title

Employee Title

Phone number (Primary Home/Work/Mobile)

Phone Number

Users and groups synced from Google Workspace are managed exclusively in Workspace and cannot be manually edited in Verkada Command.

To ensure users’ phone numbers sync correctly to Verkada Command, enter them in international format, including the country code and no spaces or hyphens.

Example: +14155552671

Enable the integration in Command

You need Org Admin permissions to configure this integration.

1

In Verkada Command, go to All Products > Admin.

2

On Org Settings, select Login & Access → User Provisioning → Google Workspace.

a. Enter the email address of your Google Workspace Super Admin. For security and continuity, Verkada recommends using a dedicated service account that has equivalent admin permissions, rather than a personal user account. a. Upload the JSON key you generated in your Google Cloud Console project. b. Once authentication succeeds, click Add to select the Groups and/or Organizational Units you want to sync to Command. c. Click Enable.

3

Upon successfully completing the first sync, a Sync Now button will be available for on-demand updates at any time.

Frequently asked questions

Do users sync automatically on a regular schedule?

Yes, users are synced from your Google Workspace account to Verkada Command automatically every 40 minutes.

Can synced Google Workspace groups be converted into access groups?

Verkada Command does not currently support converting synced Google Workspace groups into access groups.

Need more help? Contact Verkada Support.

Last updated

Was this helpful?