Connect Google Workspace¶

Step-by-step guide to connecting Google Workspace to Thalian for identity and access intelligence.

Prerequisites¶

Go to Integrations → Browse
Find Google Workspace and click Connect
Click Authorize with Google
Sign in with your Google Workspace super admin account
Review the requested permissions — Thalian requests read-only scopes for directory, audit, and app data
Click Allow to grant consent
You'll be redirected back to Thalian — the integration is now connected

Scope	Justification
`admin.directory.user.readonly`	Fetches all workspace users (name, email, 2SV status, admin role, suspended flag) for identity sync
`admin.directory.group.readonly`	Fetches Google Groups for group-based access analysis and reporting
`admin.directory.user.security`	Reads 2-Step Verification enrollment status per user for MFA posture analysis
`admin.reports.audit.readonly`	Ingests Drive, Login, and Admin audit activity logs for anomaly detection
`userinfo.email`	Retrieves the connecting admin's email during the OAuth callback to store as the integration owner

Thalian does not require domain-wide delegation. The OAuth consent flow grants the necessary read-only scopes directly.

Users — full directory including status, last login, and organizational unit
Groups — group memberships and group settings
OAuth apps — third-party apps with access to your domain, including AI tool detection across ChatGPT, Claude, Cursor, and 20+ others
Gmail app discovery — connected apps and mail delegation settings
Audit events — admin activity, login events, and token grants

Insufficient permissions: The authorizing account must have the Super Admin role. Delegated admins may not have access to all required APIs
OAuth app blocked: If your domain restricts third-party OAuth apps, you may need to allowlist Thalian in Security → API controls → App access control

For details on how OAuth grants surface as findings, see AI Tool Detection.