Connect G Suite to Microsoft Cloud App Security

This section provides instructions for connecting Cloud App Security to your existing G Suite account using the connector APIs.

Configure G Suite

  1. As a G Suite Super Admin, log into https://cloud.google.com/console/project.

  2. Click Create project to start a new project.

    google1

  3. In the New project screen name your project as follows:
    Microsoft Cloud App Security and click Create.
    google2

  4. After the project is created, in the tool bar, next to Google Cloud Platform, select the project and then under API click Go to APIs overview.

    google3

  5. Under API, disable all the listed APIs.

  6. Click on Library and enable the following APIs (use the search line if the API is not listed in the Popular APIs list):

    google apis

    Note

    Ignore the Credentials warning for now.

    • Admin SDK

    • Audit API

    • Google Drive API

    • Google Apps Marketplace SDK

    • Gmail API

  7. You should have 5 Enabled APIs:

    google enabled apis

  8. Click Credentials followed by OAuth consent screen

    • In Product name shown to users, type Microsoft Cloud App Security.

    • All other fields are optional.

    • Click Save.

      google prod name

  9. In the API Credentials screen, click the arrow next to Create credentials.

    google credentials

  10. Select Service account key.

    google service account key

  11. Under Create service account key, choose New service account and type any name, for example Service account 1, under Role choose Project and then Editor and under Key type choose P12 and click Create. Select the Enable G Suite Domain-wide Delegation check box and click Save.

    google create service account key

  12. A P12 certificate file will be saved to your computer.

  13. In the Credentials screen, click Manage service accounts in the far right.
    G Suite credentials service account

  14. Click the 3 dots to the right of the service account you created and select Edit.

    google edit

  15. Copy the Service account ID assigned to your service - you will need it later.

    google service account ID

  16. Open the Google menu by clicking the three horizontal lines next to Google Cloud Platform in the title bar, and select API manager followed by Dashboard.

  17. Scroll down to the list of enabled APIs and click on the settings cog next to Google Drive API.
    Google Drive select

  18. Fill in the following:

    • Application Name: Microsoft Cloud App Security.

    • Short Description & Long Description (optional): Microsoft Cloud App Security provides you with visibility into cloud applications, helping you control, investigate and govern cloud application use; secure corporate data; and detect suspicious activities for any cloud application.

    • Google requires you to upload at least one application Icon. Go to https://portal.cloudappsecurity.com/cas/static/files/MSLogos.zip to download a zip file containing Cloud App Security icons. Then, under Application icon drag and drop the 128x128 and 32x32 images.

    • Under Drive Integration type the following under Open URL:

      https://portal.cloudappsecurity.com/#/services/11770?tab=files

      google drive config

  19. In the Enabled APIs list, click the setting cog setting next to Google Apps Marketplace SDK. google marketplace SDK config

    Note

    If the cog is disabled, you can click on Google Apps Marketplace SDK instead.

  20. Select the Configuration tab.

  21. Go to admin.google.com and then choose Security. google security

  22. Choose API reference.
    google api enable

  23. Select Enable API Access and click Save changes.

    google api reference

Configure Cloud App Security

  1. In the Cloud App Security portal, click Investigate and then Connected apps.

  2. In the Connected apps page, click the plus sign and select G Suite.

  3. In the pop-up, fill in the following:

    G Suite Configuration in Cloud App Security

    1. Service Account email address that you copied in step 16.

    2. Project number (App ID) that you copied in step 21.

    3. Upload the Certificate P12 that you saved in step 12. You will need the password you saved to do this.

    4. Enter one admin account email of your G Suite admin.

    5. If you have a G Suite unlimited account, check this check box. For information about which features are available in Cloud App Security for G Suite unlimited, see Enable instant visibility, protection and governance actions for your apps.

    6. Click Save settings.

    7. Follow the link to connect to G Suite. This will open G Suite and you will be asked to authorize access for Cloud App Security.

    8. Make sure the connection succeeded by clicking Test now.

      Testing may take a couple of minutes.

      After receiving a success notice, click Done and close the G Suite page.

After connecting G Suite, you will receive events for 60 days prior to connection.

After connecting G Suite, Cloud App Security performs a full scan. Depending on how many files and users you have, completing the full scan can take awhile. To enable near real time scanning, files on which activity is detected are moved to the beginning of the scan queue, for example a file that is edited, updated, or shared is scanned right away and doesn't wait until it is reached by regular scan process. This does not apply to files that are not inherently modified, for example files that are viewed, previewed, printed or exported.

See Also

Control cloud apps with policies
For technical support, please visit the Cloud App Security assisted support page.
Premier customers can also choose Cloud App Security directly from the Premier Portal.