Google Workspace scan

Audits a Google Workspace (formerly G Suite) domain for security weaknesses. Built on Google's Admin SDK.

What it checks

Users — 2SV (2-step verification) disabled, recovery phone/email missing, suspended accounts with active OAuth grants.
Groups — public posting, external member density, owner sprawl.
OAuth apps — third-party apps with sensitive scopes (gmail.send, drive.readonly, etc.), and which users granted them.
DLP policies — missing or empty DLP rules on Gmail and Drive.
Retention policies — hold gaps, missing retention on high-risk labels.
Admin roles — super-admin density, role-activation audit gaps.
Security baseline — password strength enforcement, login challenge rules, MFA drift vs. baseline.

Credentials

Requires a service account with domain-wide delegation and read-only scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/apps.alerts

Pentestas never requires write scopes — the scan is pure audit.

Setting up the service account

Go to Google Cloud Console → IAM & Admin → Service Accounts.
Create a service account. Skip role grants at the cloud level.
Generate a JSON key; download it.
Enable Domain-Wide Delegation on the service account; copy the Client ID.
Admin Console → Security → API Controls → Domain-wide delegation → add a new client with the scopes above.
Upload the JSON key to Pentestas (Settings → Integrations → Google Workspace). We'll pair it with the admin email used for impersonation.

Output

Findings highlight misconfigured users + groups + apps. Each includes a deep link to the matching Admin Console page so you can remediate in one click.

Pitfalls