Domain-wide delegation is a powerful feature that lets you grant client applications permission to access your Workspace users' data without requiring their consent. You can use domain-wide delegation in two ways:
- Authorize a service account to access data on behalf of a user. A service accountmight use the following types of apps:
-
Migration and sync tools that duplicate user content from another service to Google Workspace.
-
Internal apps (for example, automation apps) that developers create for your organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.
-
- Allow users to use OAuth client apps without seeing a consent screen. Users can access apps without being prompted for consent, and you can specify the user data that the apps can access.
You can also manage domain-wide installation and view API scopes for Google Workspace Marketplace apps. Learn about Marketplace apps data access and installation.
- Ensure you have super admin privileges for your Google Workspace account.
- Review the domain-wide delegation best practices and best practices for using service accounts.
- Verify the list of API scopes needed by the app or service account. Check that the app or service account has an appropriately small scope of access.
- (If delegating an OAuth app) Get the OAuth client ID from the app developer.
- (If delegating a service account) Get the client ID of the service account. If you’re the owner of the service account, you can find the ID as follows:
- Sign in to Google Cloud as a super administrator.
- Click IAM & AdminService accounts[name of your service account].
- Expand Advanced settings and copy the Client ID.
- With domain-wide delegation, the app has access to the data belonging to all of your users. We recommend setting up a regular review of service accounts and deleting any accounts no longer in use.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlAPI controlsManage Domain Wide Delegation.
You must be signed in as a super administrator for this task. -
Click Add new.
-
Enter the Client ID for either the service account or the OAuth2 client.
- In OAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
- Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.
Note: If Multi-party approval is enabled for your organization, authorizing domain-wide delegation for a client app requires approval from another super admin.
-
Point to the new client ID, click View details, and make sure that every scope is listed.
If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.
Changes can take up to 24 hours but typically happen more quickly. Learn more
As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also, delete clients you no longer need. For example, remove access for a migration tool after you complete your migration.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlAPI controlsManage Domain Wide Delegation.
You must be signed in as a super administrator for this task. -
Click a client name and then choose an option:
- View details—View the full client name and list of scopes
- Edit—Add or remove scopes. You can't edit the client ID. Changes can take up to 24 hours but typically happen more quickly. Learn more
- Delete—Applications that depend on the client authorization will immediately stop working.
Note: If Multi-party approval is enabled for your organization, editing scopes or deleting domain-wide delegation for a client app requires approval from another super admin.