This document provides prerequisites and Expel Workbench on-boarding steps for Google Workspace.

Items to be produced


Admin Username

The admin username used to generate the service account. Only Admin accounts can access the Admin SDK reports API, so we need to impersonate the admin user through our service account.

Service Credentials JSON File

The credential file generated for the service account.

API Scopes

The permissions granted to the service account. This must be exactly what was provisioned in Google Workspace.

Step 1: Provision Expel Service Account in Google Workspace

  1. Go to the Google Developers Console and sign in as a super administrator.

  2. Under IAM & Admin, click Manage Resources.

  3. Click Create Project.

  4. Type project details and click Create.

    For this field

    Type this

    Project name

    Can be anything you want but we recommend "ExpelAPI".


    The name of your organization.


    Typically the name of your organization. You can put it wherever makes the most sense, however.

  5. Each project uses its own set of APIs. For Expel to communicate with Google Workspace APIs, we need to enable the Admin SDK for the newly created project. Navigate to the newly created project.

  6. Search for Admin SDK and open.

  7. Enable the Admin SDK for the new project.

  8. Create a Service Account for Expel Access. Navigate to Menu > IAM & admin > Service accounts.

  9. Click Create Service Account.

  10. Fill in the service account details.

    For this field

    Type this

    Service account name

    Can be anything but we recommend "ExpelAPI".

    Service account ID

    Can be anything but we recommend "ExpelAPI".

    Service account description

    Can be anything but we recommend "ExpelAPI".

  11. In the IAM & Admin section, click Service Accounts. For the service account that relates to this integration, click the Actions button and then Manage keys. In the Add Key section, click Create new key. Select JSON and click Create. After you click Create, a JSON file is downloaded.


    Keep this file in a safe place! It contains the credentials for this service account.

  12. Enable domain-wide delegation for the service account.

    • Back on the Service Accounts screen, click Actions and then click Manage Details.

    • Select Enable Google Workspace Domain-wide Delegation under Details section.

  13. After the service account is created, in the Details area, copy Unique ID.

  14. Grant the service account the required API permission scope.

    • Open the Google Workspace admin console

    • Navigate to Security > API Controls > Manage Domain Wide Delegation.

    • Click Add New.

      • Client Name: The Client ID that we saved from our Service Account, in the earlier step.

      • API Scopes: You can copy and paste all, which are comma-delimited or add the scopes for retrieving organizational units individually.,,,,,

Step 2: Configure Google Workspace in Workbench


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, login to

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top right of the page, click Add Security Device.

  4. Search for and select Google Workspace.

  5. Fill in the following information.

    • Select Expel Cloud Service for SIEM.

    • Type device Name and Location.

    • For Admin username, type the email address of the Super Administrator that created the service account in Step 1.

    • For Service Credentials JSON, type the contents of the JSON file for the service account, generated in Step 1.

    • For API scopes, type the API Scopes from Step 1.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

GSuite, G Suite