Connect Google Workspace

• User lifecycle hygiene — suspended, archived, and never/stale-signed-in accounts.
• 2-Step Verification posture — enrolled vs enforced per active user, rolled up to a coverage % and the list of users without a second factor.
• Privileged-account inventory — super-admins and delegated admins, flagging any without 2-Step Verification.
• License waste — suspended/archived or dormant licensed users, in seats and (when a Google subscription cost is on file, e.g. via Pax8) in dollars.
• Sign-in security (optional) — a 7-day roll-up of failed and suspicious logins, if you authorize the reports scope.

Vectis uses one Google service account. Each customer’s super-admin authorizes that service account’s client ID for a fixed set of read-only scopes, one time, in their own Admin console. Vectis then reads posture by impersonating a super-admin you nominate — there’s no token that expires, so the connection keeps working until the customer removes the authorization. This is the same mechanism Workspace backup and security tools use to onboard.

• Super-admin access to the customer’s Google Workspace tenant (to authorize the service account and to be the account Vectis reads as).
• The service account client ID + the scope list — Vectis shows both, with copy buttons, in the Connect dialog (Step 2 below).

1. Open the customer’s Google Admin console → Security → Access and data control → API controls → Domain-wide delegation (you must be signed in as a super-admin of that tenant).
2. Click Add new.
3. In Client ID, paste Vectis’s service-account client ID (copy it from the Vectis Connect dialog — see Step 2).
4. In OAuth scopes, paste the comma-separated scope list from the same dialog:
   • .../auth/admin.directory.user.readonly — users, 2-Step Verification, and admin inventory
   • .../auth/apps.licensing — license assignment + waste
   • .../auth/admin.reports.audit.readonly — sign-in security (optional)
5. Click Authorize.

1. Open the customer’s hub → Integrations, or the Google Workspace page, and click Connect. (This dialog shows the client ID + scopes you need for Step 1, with copy buttons.)
2. Enter the tenant’s primary domain and a super-admin email for Vectis to read as.
3. Click Verify & connect. Vectis confirms the delegation is in place, resolves the tenant, and starts syncing. If the Admin-console step isn’t done yet, you’ll get a clear error telling you to complete it.

Vectis pre-fills the customer this tenant belongs to by matching the org name and primary domain; adjust it from the connected-tenant row if the guess is wrong.

• Customer hub → Integrations: the Google Workspace panel with 2-Step Verification, privileged admins, license waste, and sign-in security cards.
• Google Workspace page (sidebar → Operate): a book-wide roll-up — 2SV coverage, admins without 2SV, reclaimable seats/$, and suspicious sign-ins across every connected tenant. This nav item only appears once at least one Google tenant is connected.

Google’s Admin SDK doesn’t expose a Secure Score, a Conditional Access policy model, or the same MFA telemetry Microsoft Graph does. Rather than fake those surfaces, Vectis scopes the Google connector to what the Admin SDK genuinely backs — so every number on a Google card is real. The cost figure is labeled seat-only until a Google subscription price is on file to dollarize it.