Overview
The Google Workspace integration pulls user and security data from your Google Workspace account to provide continuous evidence for identity, access control, and admin activity controls.
Evidence collected automatically:
- User list with roles and last login dates
- MFA (2-Step Verification) enrollment status per user
- Admin role assignments and changes
- Inactive users (no login in 90+ days)
- Super admin activity log
- Password policies (strength requirements, expiry)
- External sharing settings for Google Drive
- OAuth apps authorized by users
Prerequisites
- Google Workspace Business Starter or higher (Admin Console access required)
- Matproof Admin or Owner role
- Google Workspace Super Administrator account to authorize the connection
Connecting Google Workspace
- Go to Settings → Integrations
- Click Connect next to Google Workspace
- Sign in with a Google Workspace Super Administrator account
- Review and grant the requested read-only permissions
- Select your domain and confirm
The initial sync runs immediately. Subsequent syncs run every 24 hours.
A Super Administrator account is required to authorize the integration — not a delegated admin. This is a Google restriction on directory API access. Once authorized, Matproof does not retain your admin credentials.
Permissions Requested
Matproof requests the following Google API scopes (all read-only):
| Scope | What It’s Used For |
|---|
admin.directory.user.readonly | List users, MFA status, last login |
admin.directory.rolemanagement.readonly | Admin role assignments |
admin.reports.audit.readonly | Admin activity logs |
admin.reports.usage.readonly | User activity and last login data |
What Gets Mapped to Which Controls
| Evidence Collected | Control Examples |
|---|
| MFA enrollment rate | MFA controls (SOC 2 CC6.1, DORA Art. 9, NIS2 Measure 10) |
| Inactive user accounts | Access review / account lifecycle controls |
| Admin role assignments | Privileged access management controls |
| External sharing policy | Data protection controls (ISO 27001 A.5.14) |
| OAuth app authorizations | Third-party app access controls |
Interpreting MFA Status
Matproof reports two MFA metrics:
- Enforcement — whether your Google Workspace policy requires 2-Step Verification for all users
- Enrollment — per-user status showing who has it enabled vs. who hasn’t
For most compliance frameworks, enforcement at the policy level is the primary evidence requirement. Per-user enrollment gaps should be remediated — Matproof lists non-enrolled users so you can follow up directly.
Go to Integrations → Google Workspace → Users and filter by “MFA: Not enrolled” to get a list of users to chase. Export as CSV to send to your IT team.
Inactive Users
Matproof flags users who have not logged in for 90+ days as an access control risk. These accounts should be reviewed and either:
- Suspended (for employees on leave or contractors no longer active)
- Deleted (for fully departed users)
- Documented as service accounts with a justification
This evidence is mapped to your offboarding and access review controls.
Common Issues
”Authorization failed — insufficient permissions”
The Google account used to authorize must be a Super Administrator. Delegated admins with custom roles cannot grant the directory API access Matproof needs. Use a Super Admin account and try again.
”User count doesn’t match our actual headcount”
By default, Matproof includes suspended users in the count. Filter by Status: Active to see only active users.
Go to Google Admin Console → Security → 2-Step Verification and ensure “Allow users to turn on 2-Step Verification” is set to Enforce. Simply allowing it (not enforcing) will show as a gap.
Disconnecting
Go to Settings → Integrations → Google Workspace → Disconnect. Also revoke app access from your Google Admin Console under Security → API Controls → App Access Control.
