Connect G Suite to Microsoft Cloud App Security
This section provides instructions for connecting Cloud App Security to your existing G Suite account using the connector APIs.
Configure G Suite
As a G Suite Super Admin, log in to https://cloud.google.com/console/project.
Click Create project to start a new project.
In the New project screen, name your project as follows:
Microsoft Cloud App Security and click Create.
After the project is created, in the tool bar, click on Google Cloud Platform and make sure that the right project is selected in the drop down at the top.
Under APIs click Go to APIs overview.
Under API, disable all the listed APIs.
Click on Library and enable the following APIs (use the search line if the API is not listed in the Popular APIs list):
Google Drive API
Google Apps Marketplace SDK
Ignore the Credentials warning for now.
You should have 5 Enabled APIs:
Click Credentials and then select the OAuth consent screen tab.
In Product name shown to users, type Microsoft Cloud App Security.
All other fields are optional.
In the Credentials tab, click the arrow next to Create credentials.
Select Service account key.
Under Create service account key, choose New service account, and type any name, for example Service account 1. Under Role, choose Project and then Editor. Under Key type, choose P12 and click Create. A P12 certificate file is saved to your computer.
Copy the Service account ID assigned to your service - you need it later.
In the Credentials screen, click Manage service accounts in the far right.
Click the three dots to the right of the service account you created and select Edit.
Select the Enable G Suite Domain-wide Delegation check box and click Save.
Open the Google menu by clicking the three horizontal lines next to Google Cloud Platform in the title bar. Click on Google Cloud Platform and then click the APIs and services tab in the left-menu.
In the Dashboard that opens, scroll down to the list of enabled APIs and click on Google Drive API.
Click on the Drive UI Integration tab and fill in the following information:
Application Name: Microsoft Cloud App Security.
Short Description & Long Description (optional): Microsoft Cloud App Security provides you with visibility into cloud applications, helping you control, investigate, and govern cloud application use; secure corporate data; and detect suspicious activities for any cloud application.
Google requires you to upload at least one application Icon. Go to https://go.microsoft.com/fwlink/?linkid=862826 to download a zip file containing Cloud App Security icons. Then, under Application icon, click Select next to the 128x128 image and drag it to the popup screen. Click Select next to the 32x32 image and drag it to the popup screen.
Scroll down and in the Drive Integration section, type the following URL under Open URL:
Click Save changes.
Go back to the Enabled APIs list. Click Google Apps Marketplace SDK.
Select the Configuration tab.
Copy the Project number (App ID) that appears at the top to use later.
Under Application Name type Microsoft Cloud App Security.
In Application description type "Microsoft Cloud App Security provides visibility into cloud apps, helping you control, investigate, and govern cloud app use; secure corporate data; and detect suspicious activities for any cloud app."
Uncheck the Enable individual install check box.
Configure the four required images under Application icons.
The images can be found at: https://go.microsoft.com/fwlink/?linkid=862826
Fill in the following Support URLs:
Under OAuth 2.0 scopes, copy and paste the following URLs (copy them one at a time and press Enter after each one):
Under Visibility, select My domain (not public).
- Click on Save Changes.
Go to admin.google.com and then choose Security.
Choose API reference.
Select Enable API Access and click Save changes.
Configure Cloud App Security
In the Cloud App Security portal, click Investigate and then Connected apps.
In the Connected apps page, click the plus sign and select G Suite.
In the pop-up, fill in the following information:
Service account ID that you copied in step 13.
Project number (App ID) that you copied in step 21.
Upload the Certificate P12 that you saved in step 12. You need the password you saved to do this.
Enter one admin account email of your G Suite admin.
If you have a G Suite unlimited account, check this check box. For information about which features are available in Cloud App Security for G Suite unlimited, see Enable instant visibility, protection, and governance actions for your apps.
Click Save settings.
Follow the link to connect to G Suite. This opens G Suite and you are asked to authorize access for Cloud App Security.
Make sure the connection succeeded by clicking Test now.
Testing may take a couple of minutes.
After receiving a success notice, click Done and close the G Suite page.
After connecting G Suite, you will receive events for 60 days prior to connection.
After connecting G Suite, Cloud App Security performs a full scan. Depending on how many files and users you have, completing the full scan can take awhile. To enable near real-time scanning, files on which activity is detected are moved to the beginning of the scan queue. For example, a file that is edited, updated, or shared is scanned right away. This does not apply to files that are not inherently modified. For example, files that are viewed, previewed, printed, or exported are scanned during the regular scan.