Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Google Workspace integration pulls user and security data from your Google Workspace account to provide continuous evidence for identity, access control, and admin activity controls. Evidence collected automatically:
  • User list with roles and last login dates
  • MFA (2-Step Verification) enrollment status per user
  • Admin role assignments and changes
  • Inactive users (no login in 90+ days)
  • Super admin activity log
  • Password policies (strength requirements, expiry)
  • External sharing settings for Google Drive
  • OAuth apps authorized by users

Prerequisites

  • Google Workspace Business Starter or higher (Admin Console access required)
  • Matproof Admin or Owner role
  • Google Workspace Super Administrator account to authorize the connection

Connecting Google Workspace

  1. Go to Settings → Integrations
  2. Click Connect next to Google Workspace
  3. Sign in with a Google Workspace Super Administrator account
  4. Review and grant the requested read-only permissions
  5. Select your domain and confirm
The initial sync runs immediately. Subsequent syncs run every 24 hours.
A Super Administrator account is required to authorize the integration — not a delegated admin. This is a Google restriction on directory API access. Once authorized, Matproof does not retain your admin credentials.

Permissions Requested

Matproof requests the following Google API scopes (all read-only):
ScopeWhat It’s Used For
admin.directory.user.readonlyList users, MFA status, last login
admin.directory.rolemanagement.readonlyAdmin role assignments
admin.reports.audit.readonlyAdmin activity logs
admin.reports.usage.readonlyUser activity and last login data

What Gets Mapped to Which Controls

Evidence CollectedControl Examples
MFA enrollment rateMFA controls (SOC 2 CC6.1, DORA Art. 9, NIS2 Measure 10)
Inactive user accountsAccess review / account lifecycle controls
Admin role assignmentsPrivileged access management controls
External sharing policyData protection controls (ISO 27001 A.5.14)
OAuth app authorizationsThird-party app access controls

Interpreting MFA Status

Matproof reports two MFA metrics:
  • Enforcement — whether your Google Workspace policy requires 2-Step Verification for all users
  • Enrollment — per-user status showing who has it enabled vs. who hasn’t
For most compliance frameworks, enforcement at the policy level is the primary evidence requirement. Per-user enrollment gaps should be remediated — Matproof lists non-enrolled users so you can follow up directly.
Go to Integrations → Google Workspace → Users and filter by “MFA: Not enrolled” to get a list of users to chase. Export as CSV to send to your IT team.

Inactive Users

Matproof flags users who have not logged in for 90+ days as an access control risk. These accounts should be reviewed and either:
  • Suspended (for employees on leave or contractors no longer active)
  • Deleted (for fully departed users)
  • Documented as service accounts with a justification
This evidence is mapped to your offboarding and access review controls.

Common Issues

”Authorization failed — insufficient permissions”

The Google account used to authorize must be a Super Administrator. Delegated admins with custom roles cannot grant the directory API access Matproof needs. Use a Super Admin account and try again.

”User count doesn’t match our actual headcount”

By default, Matproof includes suspended users in the count. Filter by Status: Active to see only active users.

”MFA enforcement shows as not configured”

Go to Google Admin Console → Security → 2-Step Verification and ensure “Allow users to turn on 2-Step Verification” is set to Enforce. Simply allowing it (not enforcing) will show as a gap.

Disconnecting

Go to Settings → Integrations → Google Workspace → Disconnect. Also revoke app access from your Google Admin Console under Security → API Controls → App Access Control.