You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.
Automated user provisioning operates only on active, suspended, or deleted users. It doesn't include archived users.
Before you begin
Set up automated user provisioning
Get access token for app- Go to the Federated Directory sign-in page and sign with your Federated Directory administrator account.
- Go to Directories and select the directory you want to connect to Google Workspace.
- Go to Keys.
- Enter a name for the access key and click Create key to add a directory key.
- Copy and save the Access token.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Federated Directory.
- For Autoprovisioning, click Configure autoprovisioning.
- For Access token, paste the access token that you copied from Federated Directory.
-
Click Continue.
-
For App attributes, verify that all mandatory attributes—those marked with an asterisk (*)—are mapped to Google directory attributes. If not, click the Down arrow and map them to the appropriate attribute.
-
Click Continue.
- (Optional) To limit autoprovisioning to specific groups of users:
- For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
- Add any additional groups.
- (Optional) To remove a group, click Remove .
If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.
- Click Continue.
- Decide how long users have access to the app after the app is turned off for them or their Google Workspace account is suspended or deleted. You can decide to suspend and then hard delete their account in Federated Directory. Or, just suspend or hard delete them. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days.
- Choose options for each of these settings, as needed:
- When an app is turned off for a user
- When a user is suspended from Google
- When a user is deleted from Google
If you suspend the user account in Federated Directory, it’s marked as deactivated. If you hard delete the user account in Federated Directory, the account is removed from the workspace. Always set more time before hard deleting a user's account.
- Click Finish.
- Choose options for each of these settings, as needed:
- Turn on Autoprovisioning.
- Click Turn on to confirm.
Edit provisioning information
Expand section | Collapse all & go to top
Edit user groups subject to autoprovisioningIf you turned on the app for certain organizational units, only users in the added groups who are also members of those organizational units are subject to autoprovisioning.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Federated Directory.
- Click Autoprovisioning.
- For Provisioning scope, click Edit.
-
For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
-
Add any additional groups.
-
(Optional) To remove a group, click Remove .
If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.
-
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
-
Click Federated Directory.
-
Click Autoprovisioning.
-
For Deprovisioning, click Edit.
- Decide how long users have access to the app after the app is turned off for them or their Google Workspace account is suspended or deleted. You can decide to suspend and then hard delete their account in Federated Directory. Or, just suspend or hard delete them. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days.
Choose options for each of these settings, as needed:- When an app is turned off for a user
- When a user is suspended from Google
- When a user is deleted from Google
If you suspend the user account in Federated Directory, it’s marked as deactivated. If you hard delete the user account in Federated Directory, the account is removed from the workspace. Always set more time before hard deleting a user's account.
- Click Update.
Turn off autoprovisioning & delete configuration information
Expand section | Collapse all & go to top
You can turn off autoprovisioning for the app without losing configuration information. Or, you can turn off autoprovisioning and remove all configuration information.
You must be signed in as a super administrator for this task.
To turn off autoprovisioning for the app and keep the configuration information:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
-
Click Federated Directory.
-
Choose an option:
- Turn off Autoprovisioning.
- Click AutoprovisioningStatusTurn off.
-
Click Turn off to confirm.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
-
Click Federated Directory.
-
Click Autoprovisioning.
-
For Delete configuration, click Delete.
-
Click Delete to turn off autoprovisioning and remove all the configuration information.
Existing users will not be removed from Federated Directory and can still use the app.
Review usage information
- After you turn on autoprovisioning, you can review usage information. For details, go to Monitor automated user provisioning.
- You can review the following usage information for the last 30 days:
Admin log event | Description |
---|---|
Create User By Auto Provisioning | Users created by autoprovisioning |
Update Auto Provisioned User | Users updated by autoprovisioning |
Suspend Auto Provisioned User | Users suspended by autoprovisioning |
Unsuspend Auto Provisioned User | Users reactivated by autoprovisioning |
Hard Delete Auto Provisioned User | Users deleted by autoprovisioning |
Failures | Failed requests |
If autoprovisioning stops working…
Sometimes, due to account inactivity or if the admin password for Federated Directory changes, autoprovisioning stops working. To continue syncing user accounts in Google Workspace to the app, you need to reauthorize autoprovisioning.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
-
Click Federated Directory.
-
Click Autoprovisioning.
-
For App authorization, click Reauthorize.
-
For Access token, enter the Access token from Federated Directory.
If you need to generate another token, follow the steps in Get access token for app (earlier on this page). -
Click Re-authorize.
For details on other reasons why autoprovisioning might stop working, refer to the app’s documentation.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.