What it provides
- User sync — Active and suspended users, org units, primary email, and last sign-in
- Access review evidence — Used to evidence access reviews and provisioning controls
- Read-only access — Regentra cannot create, modify, or suspend Workspace users
Setup
Create a service account in Google Cloud Console
In Google Cloud Console, create or pick a project, then create a service account. Note the service account’s Client ID (the long numeric one, not the email).
Create and download a JSON key
Create a JSON key for the service account and download the file. Paste the full JSON contents into the Service Account JSON field on the Workspace card in Regentra.
Enable domain-wide delegation
In the Google Workspace Admin Console, open Security → API Controls → Domain-wide Delegation. Click Add new and enter the service account’s Client ID.
Set the admin email
In the Admin Email (for delegation) field on the Regentra card, enter the email of a Workspace super-admin that the service account will impersonate when querying the Directory API.
Sync frequency
- Automatic sync runs every 4 hours on the hour
- Manual sync can be triggered at any time from the integration card
Troubleshooting
Test fails with unauthorized_client
Test fails with unauthorized_client
Test fails with invalid_grant or admin_email_required
Test fails with invalid_grant or admin_email_required
The Admin Email is missing or isn’t a real Workspace super-admin in the same domain. Service-account delegation needs an admin to impersonate; pick one (any super-admin works) and re-save.
Where do I rotate the JSON key?
Where do I rotate the JSON key?
Google Cloud → IAM & Admin → Service Accounts → Keys. Generate a new key, paste it into Regentra, then delete the old key from Google. Regentra picks up the new key on the next sync.