Skip to main content
The Google Workspace integration provides read-only visibility into users, groups, devices, and security events.

Capabilities

Query Tools

ToolWhat It Does
Analyze user securitySecurity posture analysis: 2FA coverage, admin accounts, recent users
List usersList users with status, admin flags, 2FA enrollment
Get user detailsDetailed user info: status, 2FA, recovery info, aliases, last login
List groupsList all groups with member counts
Get group membersView members by role (owner, manager, member)
Get login failuresRecent failed login attempts grouped by user and IP
List third-party appsOAuth apps connected to user accounts with permission analysis
List org unitsOrganizational unit hierarchy

What Hiro Cannot Do

Google Workspace integration is read-only. Hiro cannot take any actions.
  • Cannot suspend or disable users
  • Cannot wipe devices
  • Cannot reset passwords
  • Cannot revoke OAuth tokens
  • Cannot modify group membership
  • Cannot change any settings
All remediation must be done manually in the Google Workspace Admin Console.

Setup

Prerequisites

  • Google Workspace admin access
  • Business, Enterprise, or Education plan

Connection Method

Hiro connects via OAuth 2.0 with admin consent.
1

Start connection

In Hiro, go to Settings > Integrations and click Connect.
2

Sign in with admin account

You’ll be redirected to Google. Sign in with a Google Workspace admin account.
3

Grant permissions

Review and approve the requested permissions. All scopes are read-only:
  • Directory API (users, groups, org units, devices)
  • Reports API (login activity, admin activity, token activity)
4

Verify admin access

Hiro verifies your admin access by attempting to list users. If this fails, the connection will show a warning.

Investigation Examples

Security posture analysis

Analyze our Google Workspace security posture
Returns:
  • Total users (active, suspended, archived)
  • Users without 2FA enabled
  • Admin users and their 2FA status
  • Recently created users (last 30 days)
  • Security findings with severity levels

Check a specific user

Get details for john@company.com in Google Workspace
Returns:
  • Account status
  • 2FA enrollment
  • Last login time
  • Admin privileges
  • Email aliases
  • Recovery information

Find login failures

Show me failed login attempts in Google Workspace
Returns:
  • Failed attempts grouped by user
  • IP addresses used
  • Recommendations for accounts with many failures

Audit third-party apps

What third-party apps are connected to our Google Workspace?
Returns:
  • Apps categorized by risk level:
    • High risk: Full email or Drive access
    • Medium risk: Calendar or contacts access
    • Low risk: Limited permissions
  • Scopes/permissions for each app
  • Number of users with each app

Security Analysis

Hiro’s security analysis highlights:
FindingSeverity
Admin without 2FACritical
Many users without 2FAHigh
Recently created admin accountsHigh
High-risk third-party appsMedium

Limitations

Since the integration is read-only:
  1. For user issues — Suspend users manually in Admin Console, or use Okta if users are provisioned through Okta
  2. For device issues — Wipe devices manually in Admin Console
  3. For app issues — Revoke OAuth tokens manually in Admin Console
If you need to take action on Google Workspace users, consider provisioning users through Okta. Hiro can then suspend users via the Okta integration.

Troubleshooting

”Admin access not verified”

The account used to connect may not have sufficient admin privileges. Reconnect with a Super Admin account.

Slow queries

Google Workspace APIs can be slow for large domains. Queries may take several seconds.

Missing data

Some report data requires specific Google Workspace editions. Check your license level.

Next Steps

Okta

Connect identity management for user actions.

Slack

Connect team communication.