Managed Security Awareness Initial Setup - Step 1

Updated Sep 15, 2023

Enroll users in your MA program with Google Workspace

Enroll users in your MA program with Google Workspace

You can enroll users in the MA program using Google Workspace®.

Requirements

A Google Workspace account with super administrator access. For more information, see About administrator roles.

Steps

Create Google Workspace access credentials:
1. Sign in as a super administrator to Google Cloud Console.
2. Create a new project:
  1. Click Menu > IAM & Admin > Service Accounts.
  2. On the Service Accounts page, from the Organization list, select the name of your organization.
    
    Tip: The Organization list is next to the Google Cloud icon.
  3. Click Create Project.
  4. Under Project name, enter a unique name for the Google User Sync with MA.
    
    For example, enter Google User Sync with MA for Cipher’s Coffee Shop.
    
    Caution: The project name cannot be changed later.
  5. Click Create.
3. Create a service account:
  1. On the Service accounts page, click + Create Service Account.
  2. Under Service account details, enter a unique account name in the Service account name field, for example Arctic Wolf MA User Sync.
    
    Note: Google Workspace automatically creates a Service account ID. Do not create your own or modify this field.
  3. (Optional) In the Service account description field, enter a description.
  4. Click Create And Continue.
  5. Under Grant this service account access to project, from the Role list, select Owner.
  6. Click Done.
4. Add the Unique ID to the API access control:
  1. Click Displayed columns, select the Unique ID checkbox, and click Ok.
  2. Copy the Unique ID and save it in a secure location.
  3. In a new browser tab, sign in as a super administrator to Google Admin.
  4. Click Menu > Security > Access and data control > API controls.
  5. Under Domain wide delegation, click Manage Domain Wide Delegation.
  6. On the Domain Wide Delegation page, click Add new.
  7. In the Client ID field, paste the Unique ID value from the service account.
5. Authorize the OAuth scopes:
  1. In the OAuth scopes (comma-delimited) field, copy and paste the following OAuth scopes:
    
    Tip: Ensure that there are commas separating each scope.
```
https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly
```
  2. Click Authorize.
6. Enable the API:
  1. Return to the tab signed in to Google Cloud Console.
    
    Tip: Verify that you are in the correct project.
  2. Click Menu > API & Services > Enabled APIs & services.
  3. On the APIs & Services page, click + Enable APIs And Services.
  4. On the API Library page, search for admin sdk api, and select Admin SDK API from the results.
  5. On the Admin SDK API page, under Manage Google Workspace account resources and audit usage., click Enable.
7. Add the service account key:
  1. Click Menu > IAM & Admin > Service Accounts.
  2. On the Service Accounts page, from the Email column, click the email address for the Google Workspace MA integration.
  3. Click Keys.
  4. On the Keys tab, click Add Key.
  5. From the Add Key list, select Create new key.
  6. From the Key type list, select JSON.
  7. Click Create.
    
    Note: P12 keys are not supported for Google Workspace integration with MA.
  8. Review the Private key saved to your computer dialog, and then click Close.
  9. Verify your service account key JSON file is saved in a secure location on your machine.
8. Edit the service account key:
  1. Open the saved service account key JSON file in your preferred text editor. For example, Notepad++ or Visual Studio Code.
  2. Add the following content to lines 1-5 of your file, where <email> is the administrator email address and <customer_id> is the Customer ID for the account:
    
    Tip: You can find the administrator email address and Customer ID in the Google Admin portal under Menu > Account > Account settings.
```
   {
   "CustomerEmail": "<email>",
       "CustomerID": "<customer_id>",
   "serviceKeys": 
   { 
```
  3. Add an additional curly brace to the bottom of the file. The end of your file should resemble:
```
   }
   }
```
Integrate your Google Workspace credentials with MA:
1. In a new browser tab, sign in to the MA Portal.
2. Click Settings > User Management.
3. Under What would you like to do?, click Create a new integration.
4. On the User Integration page, under Integration Type, select Google Workspace.
5. In the Integration Nickname field, enter a nickname.
6. Click Choose File to upload your Google Workspace access credentials JSON file, and then click Open.
7. Click Test Connection, and then do one of these actions:
  - If the "Connection Successful" message appears, click Acknowledge, and then click Save Credentials.
  - If you experience an error, see Managed Security Awareness Troubleshooting for support.
8. In the Select a group list, select the AD group that you created for MA.
9. Click Query Group.
  
  Note: Take note of the group name and the number of entries. The number of entries represents the total number of users. You can use this number later to make sure the intended users are active in the MA Portal.
10. Click Save Integration.
11. On the User Integration page, in the Saved Credentials section, click Sync Now. Active users are pushed to the MA Portal.
Check that the intended users are active in the MA Portal:
1. Click Administration Dashboard.
2. Click the User Information tab.
3. Make sure the number of entries at the bottom of the user table matches the total number of users you noted earlier.

Next steps

Complete Step 2: Add MA to email gateway and spam filtering allowlists.