✅ Feature availability: This integration is now available for Vanta Government customers.
Overview
If your team uses Google Workspace to manage employee accounts, this integration brings that identity data into Vanta automatically. Vanta reads your user directory, group memberships, admin role assignments, and third-party OAuth apps directly from Google Workspace — so your team keeps working in Google Workspace while Vanta handles evidence collection and compliance monitoring.
New to this integration? Start with the Google Workspace: Quickstart!
What you can do with this integration:
Automatically verify that terminated employees have had their Google Workspace accounts deactivated.
⚠️ Note: For this check to pass, the account must be suspended in Google Workspace with an explicit suspension reason recorded, or deleted entirely. Accounts suspended by an automated system process without a recorded reason are treated as active in Vanta.
Track whether users have enrolled in 2-Step Verification (MFA).
Confirm all Google Workspace accounts are linked to Vanta user records.
Surface users and groups in access review workflows.
Request and manage access to Google Workspace entitlements through Vanta's Access Requests workflow.
Discover third-party apps authorized by users in your domain, without manual vendor inventories.
Connection details
Detail | Value |
Connection type | OAuth 2.0 — Vanta connects using a Google OAuth app. |
Access level | Read-only. The user security permission is technically classified as a write-level scope by Google's API system, but Vanta uses it exclusively to read OAuth token data. No changes are made to your directory or user accounts. |
Who should connect | A Google Workspace super administrator. Use a stable, monitored admin account rather than a personal employee account. The integration must be reconnected if the connecting account loses super admin access. For instructions on creating a dedicated service account with the minimum required permissions, see Creating a Service Account for the Google Workspace Integration. |
Multiple Google Workspace organizations | Each Google Workspace domain is a separate connection in Vanta. Repeat the setup for each domain you want to monitor. |
Estimated setup time | Under 10 minutes |
What Vanta collects and why
This section covers the data Vanta reads from Google Workspace and why each field is collected. For details on how this data is used in specific Vanta workflows, see Use Cases and capabilities.
This section covers the data Vanta reads from Google Workspace and why each field is collected. For details on how this data is used in specific Vanta workflows, see Use Cases and capabilities.
Scope — What Vanta monitors
By default, Vanta reads from all active, non-archived user accounts in your Google Workspace domain, along with all groups and their memberships.
ℹ️ Note: If group-based scoping is enabled, Vanta only monitors users who are members of the designated Google Workspace group. Only one group can be designated. Users outside that group will not appear in Vanta. See Configure group-based scoping for setup instructions.
Users
Data point | What Vanta collects | Why it's collected |
Email address | Primary account email | Identifies the user across Vanta workflows and enables personnel record matching |
Display name, first name, last name | Full name fields | Populates the personnel directory in Vanta |
Admin status | Whether the account has super admin privileges | Surfaces privileged accounts for access reviews |
MFA enrollment status | Whether 2-Step Verification is enabled on the account | Powers the MFA compliance test |
Account status | Active or suspended | Determines whether the user appears as active or deactivated in Vanta |
Suspension reason | The recorded reason for account suspension, if any | Used to distinguish intentional deprovisioning from temporary system suspensions |
Last login time | Most recent login timestamp | Surfaces in access reviews and account activity checks |
Account creation time | When the account was created | Populates personnel records |
Job title | Title from the user's primary organization record | Populates personnel profiles in Vanta |
Group memberships | List of Google groups the user belongs to | Used in access reviews and group-based scoping |
Admin roles | Role names assigned to the user | Surfaces privileged access on user records and in Access Requests |
Profile photo | User's Google profile photo | Displays in Vanta personnel profiles |
ℹ️ Note:
Users who have never logged in will show no last login date. Google does not record a login timestamp for accounts that have never been accessed.
Archived Google Workspace accounts are excluded from sync.
Groups
Data point | What Vanta collects | Why it's collected |
Group name | Display name of the group | Identifies the group in Vanta workflows |
Group ID | Unique internal identifier | Used for deduplication and scoping configuration |
Member list | User IDs of all group members | Populates group membership on user records and powers scoping |
Admin roles
Data point | What Vanta collects | Why it's collected |
Role names | Names of admin roles assigned to each user | Surfaces privileged access on user records and makes roles available in Access Requests |
Third-party applications (vendor discovery)
Data point | What Vanta collects | Why it's collected |
App name | Display name of the third-party application | Identifies the vendor in Vanta's vendor management section |
OAuth client ID | Unique identifier for the authorized app | Deduplicates apps authorized by multiple users |
Permission scopes | The permissions the app was granted by users | Supports vendor risk assessment in Vanta |
Authorized users | List of users who have authorized the app | Maps vendors to users for review |
ℹ️ Note: Vendor discovery data is collected only from active (non-suspended) users. Requires the user security permission to be granted during OAuth setup.
What Vanta does not collect
Not collected | Notes |
Account passwords or credentials | Vanta never reads authentication credentials |
Email content or attachments | No Gmail, Google Drive, or Docs content is accessed |
Google Drive files or sharing settings | Drive data is not collected |
Calendar data | Not collected |
Apps authorized by suspended users | Vendor discovery is scoped to active users only |
Archived user accounts | Excluded from sync by design |
Personal Gmail accounts | Only Google Workspace organizational accounts are supported |
ℹ️ Note: Connecting Google Drive to Vanta for policy document storage is a separate integration from the Google Workspace integration covered in this guide. If your team stores policies in Google Drive and they are not appearing in Vanta, see the Google Drive Integration Guide.
Note on Shared Drives: The Google Drive integration syncs from Shared Drives named exactly vanta policies (for policy storage) and vanta documents (for evidence requests). The Google account used to authorize the integration must have write permission on those Shared Drives — read access or organizational membership alone is not sufficient. If policies are not appearing:
Confirm the Shared Drive is named exactly vanta policies or vanta documents (lowercase, no extra characters).
Confirm the connecting Google account has been added with write permission on the Shared Drive in Google Drive settings.
Reconnect the Google Drive integration in Vanta.
Prerequisites and readiness checklist
Complete all items in this checklist before starting setup.
Complete all items in this checklist before starting setup.
Confirm you have a supported Google Workspace edition
Vanta's Google Workspace integration requires access to the Admin SDK Directory API, which is available on the following editions:
Google Workspace Business Starter, Standard, Plus
Google Workspace Enterprise (all tiers)
Google Workspace for Education
Google Workspace for Nonprofits
Personal Gmail accounts (@gmail.com) are not supported.
Why this matters: Google's Admin Directory API is not available on personal accounts. Only organizational domains managed through a Google Admin console expose the directory, group, and role data Vanta needs.
Confirm you are a Google Workspace super administrator
Only super administrators can authorize Vanta's OAuth application to read users, groups, and role data across the domain.
To confirm you are a super admin: log in to admin.google.com, go to Account > Admin roles, and confirm your account holds the Super Admin role. Limited admin roles (such as Groups Admin or User Management Admin) cannot authorize all permissions.
If you are not a super admin, ask a current super admin to complete the connection, or request a role elevation before retrying.
(if applicable) Confirm Vanta is trusted in your Google Workspace domain
If your Google Workspace domain has policies restricting which third-party applications can request OAuth access, Vanta's OAuth application must be marked as trusted before setup. If this is not done, the connection will fail with a 400: admin_policy_enforced error.
To check and configure:
In Google Admin, go to Security > Access and data control > API Controls: admin.google.com/ac/owl.
Click Manage third-party app access.
Select Configure new app > OAuth app name or Client ID.
Search for and add all three Vanta Client IDs:
690752614462-i765709385cocut1thvutg8aml4l0ss8
690752614462-g1vko8gp5d1b4c521e98gi3fufhs0lr4
690752614462-31jfcl6lc2i88eege2k464jcutq6rg8j
Search for and select all of the Client IDs and click SELECT.
Mark each as Trusted and click Configure.
Why this matters: Google Workspace domains with restricted OAuth policies will block Vanta's connection attempt even if the connecting account has full super admin privileges.
(Optional) Confirm the user security permission can be granted
If you want Vanta to discover third-party apps authorized by users in your domain, the connecting admin must approve the user security permission during OAuth consent. This is optional, but requested by default.
(Optional) Prepare your scoping group before connecting:
If you want Vanta to track only a subset of users (for example, to exclude contractors or service accounts) have the relevant Google Workspace group ready before connecting. See Configure group-based scoping for naming requirements.
For a full breakdown of what each permission enables and what happens if it's declined, see Permissions.
Readiness checklist - quick reference
You have a supported Google Workspace edition (Business, Enterprise, Education, or Nonprofits, not personal Gmail).
You are a Google Workspace super administrator.
You have Vanta admin access.
Your domain's OAuth access policies do not block third-party app connections or Vanta has been marked as Trusted using the steps above.
(Optional) User security permission can be approved for third-party app discovery.
(Optional) A scoping group exists and is populated if you want to limit which users Vanta monitors.
The account completing setup is stable and will retain super admin access long-term.
Setup guide
Here are the steps to connect.
Here are the steps to connect.
Step 1: Open the Google Workspace integration in Vanta
In Vanta, go to Integrations and search for Google Workspace in the Available tab.
Click View details and then click Connect.
In the Authorize Vanta modal, click Connect Google Workspace.
Step 2: Authorize the connection
Vanta will redirect you to Google's OAuth consent screen.
Sign in with your Google Workspace super administrator account.
Step 3: Review and approve permissions
On the Google consent screen, review the permissions Vanta is requesting:
Permission | What it enables |
View all users in your directory | Required for user sync |
View all groups in your directory | Required for group sync; integration functions without it but group data will not appear |
View user OAuth token data | Required for third-party app discovery — optional, requested by default |
View admin roles and assignments | Optional – if approved, admin roles will appear on user records and be available in Access Requests. If declined, all other data continues to sync normally. |
Click Allow to grant the requested permissions and complete the OAuth flow.
⚠️ Note: If you do not approve the user security permission, third-party app discovery will not work and vendor data will not appear in Vanta. To add this permission later, you must reconnect the integration.
Step 4: Confirm the connection
After approving, you will be redirected back to Vanta.
Google Workspace should appear as Connected on the Integrations page.
(Optional) Configure group-based scoping
If you want Vanta to track only a subset of users in your domain, group-based scoping can be configured after connecting.
If you want Vanta to track only a subset of users in your domain, group-based scoping can be configured after connecting.
ℹ️ Note on when to use this feature: Group-based scoping is commonly used to limit Vanta's compliance monitoring to a specific population — for example, full-time employees only — and exclude contractors, vendors, or service accounts that should not be tracked for compliance purposes.
If you only need to exclude a small number of individual accounts rather than a group, you can do this without setting up group scoping: go to Personnel > People > Click on the user you want to exclude > Click the three dot button > Select Set as service account. Users marked as Service Accounts are excluded from compliance tests and will not appear as failing.
Step 1: Create a group in Google Workspace
In Google Workspace, go to Directory > Groups.
Click Create group.
Name the group following the required convention (see naming rules below).
Add the users you want Vanta to monitor as members.
Group naming rules:
The group name must begin with Vanta (capital V).
Use a space — not a hyphen — between "Vanta" and any additional words.
✅ Valid examples: Vanta, Vanta Full Time Employees, Vanta Contractors.
❌ Invalid examples: vanta, Vanta-Contractors, vanta employees.
Only groups beginning with "Vanta" (following this convention) will appear as selectable options in Vanta's scoping configuration.
Step 2: Enable scoping in Vanta
In Vanta, go to Integrations. Search for Google Workspace under the Connected tab.
Click Configure scope.
Confirm your scoping group is fully populated with the correct users.
Review your current compliance scope so you understand what will change.
Notify your compliance team before making changes during an active audit cycle.
Enable the toggle next to Control scope with GSuite.
In the modal Turn on IdP scoping with GSuite, select your group from the dropdown.
Click Publish changes.
ℹ️ Note: If you do not select a group from the dropdown, Vanta will default to looking for a group named exactly Vanta.
Once scoping is turned on:
Only users who are members of the designated group will be synced into Vanta.
Users outside the group will not appear in Vanta.
Scope updates take effect on the next hourly sync.
Vanta admin accounts are kept in scope by default, even if they are not members of the scoping group.
⚠️ Note: If the scoping group is empty or contains no valid users at the time of a sync, the integration will automatically disconnect. Ensure the group is populated before enabling this setting.
ℹ️ Note on nested and dynamic groups: Vanta reads direct members of the scoping group only. If your organization uses nested Google Groups (groups whose members are themselves other groups), members of those sub-groups will not automatically be included in scope — they must be direct members of the designated scoping group. This also applies to dynamically-managed groups: membership is evaluated at the time of each sync based on who is directly listed. If you rely on nested or dynamic group structures, audit the direct membership of your scoping group before enabling this setting.
Using group-based scoping within Vanta Workspaces
If your organization uses Vanta Workspaces, you can create multiple Google Workspace groups (one per Workspace) to scope distinct sets of users per Workspace. This option is only available to organizations using Vanta Workspaces and is not available for standard single-workspace accounts. Review Getting Started with Vanta Workspaces for more information.
Verification and validation
After setup, confirm the following to verify the integration is connected and data is syncing correctly.
After setup, confirm the following to verify the integration is connected and data is syncing correctly.
Note: allow up to one hour for initial sync before checking.
Integration is active — In Vanta, go to the Integrations page and confirm Google Workspace shows a Connected status with a recent sync timestamp. If the status shows Disconnected, confirm the connecting admin account is still active with super admin privileges in Google Workspace.
Users are syncing — Go to the People section in Vanta. Google Workspace users should appear and be linked to personnel records. If users are missing, check whether group-based scoping is configured and confirm the expected users are members of the designated Google Workspace group.
Compliance tests are populating — Go to Tests in Vanta. The MFA, deprovisioning, and account linking tests should show data. If tests show no data after the initial sync period, confirm the integration status and check for permission issues.
Groups are appearing — Google Workspace groups should be visible in access review workflows and on user records. If groups are missing, confirm the view groups permission was granted during OAuth setup.
Third-party apps are appearing — Go to Vendors in Vanta. Apps authorized by users in your domain should appear. If vendor data is absent, confirm the user security permission was approved during OAuth setup.
Admin roles are appearing on user records — If role sync was enabled, admin role names should be visible on user records in Vanta. If roles are missing, confirm the role management permission was granted and reconnect if necessary.
Use cases and capabilities
The Google Workspace integration powers five functional areas in Vanta: personnel management, automated compliance testing, access reviews, access requests, and third-party app discovery.
The Google Workspace integration powers five functional areas in Vanta: personnel management, automated compliance testing, access reviews, access requests, and third-party app discovery.
Quick reference
Resource / Capability | Supported | How it is used in Vanta |
Users | Yes | Personnel management, Access Reviews, Access Requests, Automated Tests |
Groups | Yes | Access Reviews, Access Requests, user scoping |
Roles / Entitlements | Yes (requires role management permission at setup) | Access Reviews, Access Requests, user records |
Last login | Yes | Access Reviews, account activity checks |
MFA enrollment status | Yes | Automated Tests |
Account suspension / deactivation status | Yes | Automated Tests, Personnel lifecycle |
Third-party app discovery | Yes (requires user security permission at setup) | Vendor management |
User profile photos | Yes | Personnel profiles in Vanta |
Personnel management and lifecycle
Personnel management and lifecycle
Vanta imports active users from your Google Workspace domain and links them to personnel records. After each sync, Vanta reconciles user data with your people directory, updates user statuses, and flags accounts that need attention.
What this powers in Vanta:
Personnel directory: Google Workspace users appear in the People section, linked to Vanta personnel records.
Lifecycle tracking: User status changes (active, suspended, terminated) are reflected in Vanta after each sync.
Account linking: New users detected in Google Workspace are automatically matched to existing personnel records where possible.
⚠️ Note: Offboarding requires action in both Google Workspace and Vanta: Suspending or deleting a user in Google Workspace updates their status in your Google directory, but does not automatically complete their offboarding in Vanta. After the next hourly sync picks up the account change, you must also offboard the user in Vanta (People > [user] > Select the checkbox next to their name > Offboard. The Offboard button appears on a user’s profile in Vanta once the sync detects that their Google Workspace account has been suspended or deleted. If the button is not visible, the sync has not yet picked up the account change. Wait for the next hourly sync and check again. Until both steps are complete, the user will remain in your compliance scope and continue to appear in compliance tests.
Connecting Google Workspace alongside another identity provider (e.g., Okta, OneLogin)
If you connect Google Workspace in addition to another IDP, the same person may appear as two separate records in Vanta — one from each integration. To prevent or resolve this:
Set IDP precedence: Go to the Integrations page, find any connected IDP, click Manage, and select Change IdP precedence. This determines which identity provider controls user state for people who appear in both.
Control which IDPs populate the People page: Each connected IDP has a populate the People page toggle when you click on the Configure scope button. If only one IDP should be creating personnel records, disable this setting on the other.
If duplicates already exist: Contact Vanta Support for help resolving duplicate records.
Scope notes:
Only active, non-archived accounts are synced.
If group-based scoping is enabled, only users in the designated group are tracked.
Automated compliance tests
Automated compliance tests
Google Workspace data powers the following automated tests in Vanta:
Google Workspace accounts deprovisioned when personnel leave: This checks that terminated employees have deactivated Google Workspace accounts.
Sample test page:
MFA on Google Workspace: This verifies whether users have enrolled in 2-Step Verification. It passes when all in-scope users have MFA enabled on their individual accounts.
Google Workspace accounts associated with users: This checks that all synced Google Workspace accounts are linked to a Vanta user record. Flags accounts without an identified owner.
Scope notes:
Test results update after each hourly sync, not in real time.
For guidance on resolving the MFA test, including how to enforce 2-Step Verification in Google Admin, see Resolve 'MFA on Google Workspace' Test.
Access reviews
Access reviews
Google Workspace users and groups appear in Vanta's access review workflows.
What this powers in Vanta:
User access reviews: All synced Google Workspace accounts appear for review, so your team can confirm who has access and flag accounts that need cleanup or reassignment
Group-level visibility: Group memberships are surfaced alongside individual user records
Scope notes:
Access reviews reflect the most recently synced data, not real-time directory state.
If group-based scoping is configured, only users within the scoping group appear.
⚠️ Note: Google Workspace exposes group membership, admin status, and (when enabled) admin console role assignments — but not granular app-level entitlements. If per-application permission data is needed, a supplemental HRIS or IDP integration may provide it.
Access requests
Access requests
Google Workspace users, groups, and admin roles are available in Vanta's Access Requests workflow.
What this powers in Vanta:
Entitlement requests: Users can request access to specific Google Workspace groups or admin roles through Vanta.
Approver context: Approvers can see what access is being requested and what it grants before approving.
Access tracking: Admins can track provisioning requests and maintain a record of access grants.
Scope notes:
Role data in Access Requests requires the role management permission to have been granted during OAuth setup.
For more information on Access Requests, see Managing Access Requests in Vanta.
Third-party app discovery
Third-party app discovery
Vanta reads the OAuth tokens authorized by users in your domain to identify third-party applications connected to your Google Workspace environment.
How discovery works:
Vanta detects apps that individual users in your domain have authorized via OAuth — these are applications that a user has granted permission to access their Google account data (e.g., "Sign in with Google" or granting a third-party tool access to calendar or drive data). These user-consented OAuth apps appear automatically on the Discovery tab in Vanta without requiring manual vendor inventories.
What Vanta does not detect:
Admin-installed apps that do not use user-level OAuth tokens (e.g., Google Marketplace apps installed domain-wide by an admin without per-user consent)
Apps authorized by suspended users — suspended user tokens are excluded by design
What this powers in Vanta:
Vendor discovery: Third-party apps appear in Vanta's vendor management section without requiring manual vendor inventories.
App-to-user mapping: Each app record shows which users in your domain have authorized it.
Investigating a flagged app:
To see more detail about an app that Vanta has discovered, go to Google Admin > Security > Access and data control > API Controls > App Access Control. There you can see which users have authorized the app, what scopes were granted, and whether the app is trusted, limited, or blocked in your domain.
Removing an app from Discovery:
To dismiss an app from the Discovery tab in Vanta, locate it on the Discovery tab and dismiss it. This removes the app from Vanta's Discovery view only — it does not revoke the app's OAuth access in Google Workspace. To revoke access, you must do so separately in Google Admin.
Scope notes:
Discovery is scoped to active (non-suspended) users only.
Requires the user security permission to be approved during OAuth setup.
If the permission is missing, no vendor data will appear in Vanta.
Limitations and edge cases
The following are known constraints of Vanta's Google Workspace integration.
The following are known constraints of Vanta's Google Workspace integration.
Limitation | Detail | Workaround |
Group-based scoping supports only one group | Only one Google Workspace group can be designated for user scoping. Users outside that group will not be synced. | Ensure all relevant users are members of the single scoping group. |
Empty scoping group triggers auto-disconnect | If scoping is enabled and the designated group has no valid members at sync time, the integration disconnects automatically. | Ensure the scoping group is populated before enabling scoping. |
Scoping group names must follow the "Vanta" naming convention | Only groups whose names begin with "Vanta" (capital V, space — not hyphen — before additional words) appear as selectable options in Vanta's scoping configuration. | Follow the naming convention when creating or renaming your scoping group. See Configure group-based scoping for details. |
Temporary Google suspensions are not treated as deactivations | A user suspended by a Google system process without a recorded suspension reason appears as active in Vanta. | Ensure your offboarding process suspends accounts with an explicit reason, or deletes the account entirely. |
MFA detection does not work when users authenticate through an external SAML provider | If users access Google Workspace through a separate identity provider such as Okta, Vanta cannot detect whether MFA is enforced at the SAML layer. Affected users may fail the MFA test even if MFA is enforced elsewhere. | Enforce MFA directly in Google Workspace, or note this limitation when reviewing test results. For guidance on resolving the MFA test, see [Resolve 'MFA on Google Workspace' Test]. |
Role sync requires re-authentication if not granted at setup | If the role management permission was not approved during initial OAuth setup, admin roles will not appear on user records or in Access Requests. Re-connecting is required to add the permission. | Reconnect the integration in Vanta and approve the role management permission on the Google consent screen. |
Sync is not real-time | Changes in Google Workspace are reflected in Vanta after the next scheduled sync, not immediately. Syncs run hourly. | Wait for the next hourly sync cycle. |
Vanta cannot deprovision users in Google Workspace | Vanta does not suspend or delete Google accounts. Offboarding must be completed directly in Google Workspace. | Follow your standard offboarding process in Google Workspace. |
Third-party app discovery is scoped to active users only | Apps authorized by suspended users are not included in vendor discovery results. | No workaround — suspended user tokens are excluded by design. |
Vanta platform admin accounts may bypass group scoping | By default, users who are Vanta platform admins are kept in scope regardless of Google Workspace group membership. | No action needed — this is intentional to prevent Vanta admin accounts from being accidentally excluded from compliance coverage. |
SCIM-based provisioning is a separate configuration | This integration uses API-based polling, not SCIM. For SCIM-based user provisioning from Google Workspace into Vanta, a separate setup is required. | See Connecting Vanta & Google Workspace (SCIM) for the SCIM provisioning setup. |
Group-based scoping reads direct members only | When a Google Workspace group is used for scoping, Vanta includes only users who are direct members of that group. Members of nested groups (groups whose members are themselves other groups) are not included unless they are also direct members of the top-level scoping group. Dynamically-managed groups follow the same rule — membership is evaluated at the time of each sync, and only direct membership counts. | Ensure all users who need to be in compliance scope are added as direct members of the designated scoping group, not just members of a sub-group. Audit direct membership before enabling scoping. |
Permissions
This section covers what access is required to connect Google Workspace to Vanta, what permissions Vanta requests, and what Vanta does with that access.
This section covers what access is required to connect Google Workspace to Vanta, what permissions Vanta requests, and what Vanta does with that access.
Vanta access requirements
Permission | Required for |
Vanta admin | Connecting, reconnecting, and managing the Google Workspace integration |
Google Workspace: connecting user requirements
Requirement | Required or optional | What happens without it |
Super administrator role in Google Workspace | Required | The OAuth flow cannot grant the required directory permissions. The connection will fail or return incomplete data. |
Google Workspace: what Vanta requests
Permission | Required or optional | What happens without it |
View users | Required | User data cannot be read. The integration will not sync. |
View groups | Required | Group data will not sync. Group membership, scoping features, and group-based Access Requests will not work. The integration does not disconnect — users continue to sync. |
User security / OAuth token data | Optional, requested by default (can be declined) | Third-party app discovery will not work. No vendor data will appear in Vanta. |
Role management (read-only) | Optional | Admin roles will not appear on user records or in Access Requests. All other data syncs normally. |
Write access
Vanta does not write to your Google Workspace directory under standard integration functionality. All data collection is read-only.
⚠️ Note on the user security permission: Google classifies this scope as a write-level permission in their API system. Vanta uses it exclusively to read the list of OAuth tokens authorized by users in your domain. Vanta does not modify user accounts, security settings, or OAuth authorizations.
Troubleshooting and FAQs
Common questions and issues you may encounter when setting up or using Vanta’s Google Workspace integration, along with recommended solutions.
Common questions and issues you may encounter when setting up or using Vanta’s Google Workspace integration, along with recommended solutions.
Before contacting Support, collect the following to reduce resolution time:
The connecting user's Google Workspace account email and admin role
Your Google Workspace domain name
A screenshot of any error message shown in Vanta or during the Google consent flow
Connection and setup
Q: The connection failed after I approved the Google consent screen (no specific error shown)
Cause 1: The Google account used to connect is not a super administrator.
Log in to admin.google.com to confirm your admin role. If you cannot access the full admin console, your account may have a limited admin role.
Ask a current super admin to complete the connection, or request a role elevation before retrying.
Cause 2: Domain policies are blocking the connection but no error code was shown.
In Google Admin, go to Security > Access and data control > API Controls and confirm Vanta is marked as Trusted. See the admin_policy_enforced entry above for the full resolution steps.
Escalate if: The connecting account is a confirmed super admin, Vanta is trusted in Google Admin, and the failure persists after retrying.
Q: The integration disconnected unexpectedly
Cause: The connecting admin account was suspended, deactivated, or lost super admin privileges. Alternatively, the OAuth token was revoked.
Confirm the connecting account is still active with super admin status in Google Admin.
If the account was deactivated, reconnect using a different active super admin account.
To prevent recurrence: use a stable shared admin account rather than a personal employee account. See Creating a Service Account for the Google Workspace Integration for setup instructions.
Escalate if: The integration reconnects successfully but disconnects again within 24 hours.
Q: I made changes in Google Admin Console. Do I need to reconnect the integration?
A: If you have made any of the following changes in Google Workspace since the integration was first connected, reconnect the integration in Vanta to ensure the updated configuration is picked up:
Modified the admin role of the account used to connect the integration
Changed your domain's OAuth trust settings or app access policies (e.g., updated App Access Control)
Restructured org units or changed user permissions in ways that affect Vanta's directory access
Fix: In Vanta, complete the OAuth flow again with a current Super Admin account.
Escalate if: The reconnection fails, or the integration disconnects again within 24 hours of reconnecting.
Users and data
Q: Users are missing from Vanta after the initial sync
Step 1: Confirm whether group-based scoping is enabled in your Vanta integration settings.
Step 2: If scoping is enabled, confirm the missing users are members of the designated Google Workspace group.
Step 3: Confirm the missing users are not archived in Google Workspace — archived accounts are excluded from sync by design.
Step 4: Wait for the next hourly sync and check again.
Escalate if: Scoping is not enabled, users are active and not archived, and they are still missing after two full sync cycles.
Q: I don't see roles available when creating an access level in Vanta
Cause: The role management permission was not granted during OAuth setup.
Fix: Reconnect the integration in Vanta. On the Google consent screen, approve the role management permission when prompted.
Escalate if: The permission is confirmed as granted and role data is still absent after a full sync cycle.
Q: Third-party apps are not appearing in vendor management
Step 1: Confirm the user security permission was approved during OAuth setup. In Google Admin, go to Security > Access and data control > API Controls > App access control and confirm Vanta has the relevant permission.
Step 2: If the permission is missing, reconnect the integration in Vanta and approve the user security permission on the Google consent screen when prompted.
Escalate if: The permission is confirmed as granted and vendor data is still absent after a full sync cycle.
Q: A rehired employee is showing as terminated in Vanta even though they're active in Google Workspace.
Cause: When a previously offboarded employee is re-added or unsuspended in Google Workspace, the next sync will detect them as active, but their previous offboarding record in Vanta may still be in place.
Fix: Go to People > find the user > click on their name. In the side panel (drawer) that opens, click Reset offboarding. This resets the offboarding record to its initial state and deletes any completed offboarding checklist tasks. The user will then re-enter your compliance scope on the next sync, provided the Google Workspace account is active and in the correct scoped group.
Escalate if: The Reset offboarding button is not visible on the user's profile, or the user does not return to active status after resetting and waiting for a full sync cycle.
Q: Can I trigger a manual sync or force a refresh?
A: There is no user-facing button to manually trigger a Google Workspace sync. Syncs run automatically on an hourly schedule. Changes made in Google Workspace (new users, suspensions, group membership updates) will be reflected in Vanta after the next scheduled sync — typically within 1 hour.
Escalate if: The data has not updated after two full sync cycles (~2 hours).
Q: We have a 30-day deletion policy in Google Workspace. How should we handle offboarding in Vanta?
A: Many organizations suspend a departing employee's Google Workspace account on their last day, then automatically delete it after 30 days (to allow time for data transfer, legal holds, etc.). This works well with Vanta, but the order matters:
Day 0 (last day): Suspend the user in Google Workspace. Do not delete yet.
Next sync: Vanta detects the suspension and transitions the user to terminated status.
Complete offboarding in Vanta: Go to People > select the user > Offboarding tab > complete all offboarding tasks.
Day 30: Your automatic deletion policy runs as normal. Since offboarding is already complete in Vanta, this has no impact on your compliance posture.
⚠️ Note: If you skip the suspension and go straight to deletion at 30 days, the user disappears from the Google Workspace directory entirely. Vanta can no longer detect a status change, and the offboarding flow may become inaccessible. Always suspend immediately at offboarding — then delete on your normal schedule.
Compliance tests
Q: The MFA test is failing for users who have MFA enabled
Step 1: Confirm the affected users have 2-Step Verification actively enrolled on their individual Google accounts — not just enforced at the org policy level. Enforcement requires the user to log in and complete setup before it is active.
Step 2: If users authenticate through an external SAML provider such as Okta, Vanta cannot detect MFA enforced at the SAML layer. Only MFA enforced directly in Google Workspace is visible to this integration.
Step 3: Allow at least one full hourly sync cycle after enrollment before checking test results.
For step-by-step instructions on enforcing MFA in Google Admin and confirming it is active per user, see Resolve 'MFA on Google Workspace' Test.
Escalate if: Users have confirmed MFA enrollment directly in Google Workspace and the test is still failing after two full sync cycles.
Q: The deprovisioning test is failing for terminated employees
Cause: The employee's Google Workspace account was not suspended with an explicit suspension reason, or was not suspended at all.
⚠️ Do not hard-delete a user in Google Workspace before completing their offboarding in Vanta. If a user is deleted from Google Workspace before being offboarded in Vanta, their record will no longer appear in subsequent syncs — and you will not be able to complete the standard offboarding workflow in Vanta. If this has already occurred, contact Vanta Support.
Step 1: In Google Admin, check the terminated user's account status and confirm whether a suspension reason is recorded.
Step 2: Ensure your offboarding process suspends the user's account with an explicit reason, or deletes the account entirely. Temporary system suspensions without a recorded reason are treated as active in Vanta.
Recommended sequence:
Suspend the user's account in Google Workspace with an explicit suspension reason recorded.
Wait for the next hourly sync and confirm the user appears as deactivated in Vanta.
Complete offboarding in Vanta: People → [user] → Offboard. The Offboard button appears on a user's profile in Vanta once the sync detects that their Google Workspace account has been suspended or deleted. If the button is not visible, the sync has not yet picked up the account change — wait for the next hourly sync and check again.
Once Vanta shows the user as offboarded, you may delete the account from Google Workspace if needed.
Escalate if: The account is confirmed as suspended with an explicit reason and the test is still failing after a full hourly sync cycle.
Q: MFA status is not showing for some users
Cause: Users who have never logged in to their Google account will not have MFA status data. MFA status is only recorded after the user completes initial login and MFA setup.
Fix: Ask the affected users to log in and complete MFA enrollment. Status will reflect in Vanta on the next hourly sync.
Q: An offboarded user is still appearing as active in Access Reviews
Cause: Offboarding a user in Vanta removes them from your personnel scope, but does not automatically deactivate their associated monitored accounts (such as their Google Workspace account record). If these accounts are not manually marked as deactivated after offboarding, they will continue to surface in Access Review workflows as active accounts requiring review.
Fix: After offboarding a user in Vanta, navigate to their profile and locate any monitored accounts still showing as active. Mark each one as deactivated.
Escalate if: Monitored accounts are not visible on the user's profile after offboarding has been completed.