...
Log in as an admin user to Google Cloud Platform (GCP) Console by using the following URL: https://console.cloud.google.com.
Do one of the following steps.
If you have not used the GCP Console before, agree to the terms of service and click Create Project.
If you have used GCP Console before, at the top of the screen next to your most recent project name, click the down arrow to open your projects list. Then, click New Project. In Project Name, enter a meaningful name and click CREATE.
Select your new project and click the navigation menu.
Navigate to API and Services > Library. Search for Admin SDK and select the Admin SDK option from the search results. Click ENABLE.
Navigate to IAM and admin > service accounts. Click CREATE SERVICE ACCOUNT and specify the following settings.
Service account name
Service account ID
Click CREATE to create your service account. Click CONTINUE and then click DONE.
Click the navigation menu. Navigate to API and Services > Credentials.
Click Service account and select your service account.
Under Keys, from the Add Key menu select Create New Key. Select the JSON radio button and click Create.
Note the following parameters that are required to configure provisioning in OnLink.
Service Account Email - Use the
client_email
value from your service accountprivate key
file.Account Email - an admin’s email address that has as a minimum, the 'User Management Admin' and 'Groups Admin' roles. Make sure that the scopes of the roles are All organization unit.
Private Key - Use the
private_key
value from your service accountprivate key
file. Copy everything from and including “-----BEGIN PRIVATE KEY-----” to “-----END PRIVATE KEY-----\n” e.g.Code Block -----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkigEAAoIBAQC5DdC8GNNeyVik\nryiee...sr47P8/fghv5Lxukpq\nGnEiHn5otefat1FuUnmMJ8j/\n-----END PRIVATE KEY-----\n
Go to your Google Workspace Admin console by using the following URL: https://admin.google.com.
Click the navigation menu. Navigate to Security > Access and data control > API Controls.
Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
Click Add New and add the following details.
Client ID - Provide a service account's client ID. Use the client_id value from the service account private key file.
User OAuth Scope https://www.googleapis.com/auth/admin.directory.user
Group OAuth Scope https://www.googleapis.com/auth/admin.directory.group
Role OAuth Scope https://www.googleapis.com/auth/admin.directory.rolemanagement
Org Unit OAuth Scope https://www.googleapis.com/auth/admin.directory.orgunit
Gmail Send (only needed if using to send emails) https://www.googleapis.com/auth/gmail.sendClick Authorize and save your changes.
...