Pentestas / help

Google Workspace scan

Audits a Google Workspace (formerly G Suite) domain for security weaknesses. Built on Google's Admin SDK.

What it checks

  • Users — 2SV (2-step verification) disabled, recovery phone/email missing, suspended accounts with active OAuth grants.
  • Groups — public posting, external member density, owner sprawl.
  • OAuth apps — third-party apps with sensitive scopes (gmail.send, drive.readonly, etc.), and which users granted them.
  • DLP policies — missing or empty DLP rules on Gmail and Drive.
  • Retention policies — hold gaps, missing retention on high-risk labels.
  • Admin roles — super-admin density, role-activation audit gaps.
  • Security baseline — password strength enforcement, login challenge rules, MFA drift vs. baseline.

Credentials

Requires a service account with domain-wide delegation and read-only scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/apps.alerts

Pentestas never requires write scopes — the scan is pure audit.

Setting up the service account

  1. Go to Google Cloud Console → IAM & Admin → Service Accounts.
  2. Create a service account. Skip role grants at the cloud level.
  3. Generate a JSON key; download it.
  4. Enable Domain-Wide Delegation on the service account; copy the Client ID.
  5. Admin Console → Security → API Controls → Domain-wide delegation → add a new client with the scopes above.
  6. Upload the JSON key to Pentestas (Settings → Integrations → Google Workspace). We'll pair it with the admin email used for impersonation.

Output

Findings highlight misconfigured users + groups + apps. Each includes a deep link to the matching Admin Console page so you can remediate in one click.

Pitfalls

  • Too many OAuth grants — this scan typically uncovers dozens. Prioritise apps with drive.readonly or broader.
  • Unverified apps — Google's "unverified" label isn't the same as "malicious", but it is a triage cue.
  • Legacy IMAP / SMTP — modern Workspace defaults to OAuth, but many tenants have leftover legacy protocol allow lists. Pentestas surfaces them.

See also