Connect G Suite to Microsoft Cloud App Security

This section provides instructions for connecting Cloud App Security to your existing G Suite account using the connector APIs.

Configure G Suite

  1. As a G Suite Super Admin, log in to https://cloud.google.com/console/project.

  2. Click Create project to start a new project.

    google1

  3. In the New project screen, name your project as follows:
    Microsoft Cloud App Security and click Create.
    google2

  4. After the project is created, in the tool bar, click on Google Cloud Platform and make sure that the right project is selected in the drop down at the top.

    google project

  5. Under APIs click Go to APIs overview.

    google3

  6. Under API, disable all the listed APIs.

  7. Click on Library and enable the following APIs (use the search line if the API is not listed in the Popular APIs list):

    • Admin SDK

    • Audit API

    • Google Drive API

    • Google Apps Marketplace SDK

    • Gmail API

    google apis

    Note

    Ignore the Credentials warning for now.

  8. You should have 5 Enabled APIs:

    google enabled apis

  9. Click Credentials and then select the OAuth consent screen tab.

    • In Product name shown to users, type Microsoft Cloud App Security.

    • All other fields are optional.

    • Click Save.

      Google product name

  10. In the Credentials tab, click the arrow next to Create credentials.

    Google credentials

  11. Select Service account key.

    Google service account key

  12. Under Create service account key, choose New service account, and type any name, for example Service account 1. Under Role, choose Project and then Editor. Under Key type, choose P12 and click Create. A P12 certificate file is saved to your computer.

    Create service account key in Google

  13. Copy the Service account ID assigned to your service - you need it later.

  14. In the Credentials screen, click Manage service accounts in the far right.

    G Suite credentials service account

  15. Click the three dots to the right of the service account you created and select Edit.

    google edit

  16. Select the Enable G Suite Domain-wide Delegation check box and click Save.

    google service account ID

  17. Open the Google menu by clicking the three horizontal lines next to Google Cloud Platform in the title bar. Click on Google Cloud Platform and then click the APIs and services tab in the left-menu.

  18. In the Dashboard that opens, scroll down to the list of enabled APIs and click on Google Drive API.
    Select Google Drive

  19. Click on the Drive UI Integration tab and fill in the following information:

    • Application Name: Microsoft Cloud App Security.

    • Short Description & Long Description (optional): Microsoft Cloud App Security provides you with visibility into cloud applications, helping you control, investigate, and govern cloud application use; secure corporate data; and detect suspicious activities for any cloud application.

    • Google requires you to upload at least one application Icon. Go to https://us.portal.cloudappsecurity.com/cas/static/files/MSLogos.zip to download a zip file containing Cloud App Security icons. Then, under Application icon drag and drop the 128x128 and 32x32 images.

    • Scroll down and in the Drive Integration section, type the following URL under Open URL:

      https://portal.cloudappsecurity.com/#/services/11770?tab=files

      Edit Google Drive

  20. Go back to the Enabled APIs list. Click Google Apps Marketplace SDK.

  21. Select the Configuration tab.

  22. Go to admin.google.com and then choose Security.

    google security

  23. Choose API reference.
    google api enable

  24. Select Enable API Access and click Save changes.

    google api reference

Configure Cloud App Security

  1. In the Cloud App Security portal, click Investigate and then Connected apps.

  2. In the Connected apps page, click the plus sign and select G Suite.

  3. In the pop-up, fill in the following information:

    G Suite Configuration in Cloud App Security

    1. Service Account email address that you copied in step 16.

    2. Project number (App ID) that you copied in step 21.

    3. Upload the Certificate P12 that you saved in step 12. You need the password you saved to do this.

    4. Enter one admin account email of your G Suite admin.

    5. If you have a G Suite unlimited account, check this check box. For information about which features are available in Cloud App Security for G Suite unlimited, see Enable instant visibility, protection, and governance actions for your apps.

    6. Click Save settings.

    7. Follow the link to connect to G Suite. This opens G Suite and you are asked to authorize access for Cloud App Security.

    8. Make sure the connection succeeded by clicking Test now.

      Testing may take a couple of minutes.

      After receiving a success notice, click Done and close the G Suite page.

After connecting G Suite, you will receive events for 60 days prior to connection.

After connecting G Suite, Cloud App Security performs a full scan. Depending on how many files and users you have, completing the full scan can take awhile. To enable near real-time scanning, files on which activity is detected are moved to the beginning of the scan queue. For example, a file that is edited, updated, or shared is scanned right away. This does not apply to files that are not inherently modified. For example, files that are viewed, previewed, printed, or exported are scanned during the regular scan.

See Also

Control cloud apps with policies
For technical support, visit the Cloud App Security assisted support page.
Premier customers can also choose Cloud App Security directly from the Premier Portal.