SaaS Security - Activating Google Workspace (Gmail and Google Drive)


To activate Google Workspace, you must have these:

  • Administrator access to activate Google Workspace.
  • Additional Google Workspace license to integrate with Avanan. (Integration is not supported for clients on the free G-Suite license tiers.)
  • If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, you must create exclusion rules before activating Google Workspace. To configure GCDS exclusion rules, see below.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

Possible workarounds:

  • Perform the Google Workspace activation using a non-Chrome browser.
  • Sign out (switch to Guest) any logged-in Chrome user before you continue.

While onboarding Google Workspace (Gmail / Google Drive), Avanan creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin console.

  • Go to Authentication Settings of the root organizational unit and check these settings.
    • The Allow users to turn on 2-Step Verification check-box is selected.
    • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.


If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these.

  • If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again.
  • Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Activating Gmail

To activate Gmail:

  1. Navigate to Configuration > SaaS Applications.
  2. Click Start for Gmail.
  3. Enable the I Accept Terms Of Service checkbox.
  4. If you need to limit the license consumption and protection to a specific group of users:
    1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.
    2. In the Gmail - Group Selection pop-up, select Specific group.
    3. Enter the group name you need to protect with Avanan.
      Note - The group name must have an associated email address.
    4. Click OK.
  5. Log in to the Google Workspace Marketplace using your Google administrator credentials.
  6. After successful authentication, you will be redirected to the Avanan Cloud Security app installation page.
    Click Admin Install.
  7. In the Admin install pop-up that opens, click Continue.
  8. Avanan Cloud Security app requests permission to access your data.
    Select Everyone at you organization, accept the terms of service and click Finish.
  9. Click Google-app  in the Google Workspace Marketplace. Scroll down and select the Avanan Cloud Security app.
    If prompted, enter the Google administrator credentials, and you are redirected to the Avanan portal.
    Note - After installing the Avanan Cloud Security app, a new Super Admin account is created in
    your Google Admin console.
  10. Navigate to Configuration > SaaS Applications and click Start for Gmail.
    After successful authentication, Avanan starts scanning the users and emails from Gmail.

Note - After activating Gmail, Avanan performs retroactive scan of its content. For more information, see Backward Scanning.

GCDS Exclusion Rules


Configuration Steps

  1. Go to Google Domain Configuration.
  2. Go to Exclusion Rules.
  3. Create Exclusion Rules, each with:
    • Type: Group Email Address
    • Match Type: Exact Match
    Note - The group email address should be in the groupname@[domain] format. For more details, see exclusion rules.
  4. As you create the Exclusion Rules, add the email addresses below to each. (1 email/Exclusion Rule; 4 Rules in total):
    • avanan_inline_policy@DOMAIN.COM
    • avanan_inline_rule@DOMAIN.COM
    • avanan_monitor_policy@DOMAIN.COM
    • avanan_monitor_rule@DOMAIN.COM
  5. Save and Sync for the changes to take effect.
  6. You may now authorize Gmail without the Google Groups getting deleted.
    • If you’ve already authorized and your Groups were deleted, then ask support to recreate the groups for you.

For more information about Google Workspace footprint, see Google Workspace Footprint.