Google Workspace Admin MCP Server
Create a powerful Model Context Protocol (MCP) server for Google Workspace Admin in minutes with our AI Gateway. This guide walks you through setting up seamless enterprise administration with enterprise-grade security and instant OAuth authentication.
About Google Workspace Admin API
The Google Workspace Admin SDK provides programmatic access to domain administration features, enabling automated management of users, groups, organizational units, devices, and security settings across your Google Workspace domain.
Key Capabilities
- User Management: Create, update, suspend users
- Group Administration: Manage groups and memberships
- Organizational Units: Structure domain hierarchy
- Device Management: Control mobile and Chrome devices
- Security Settings: Configure 2FA, passwords, API access
- License Management: Assign and track licenses
- Audit Logs: Monitor admin activities
- Domain Settings: Manage domain-wide configurations
API Features
- Directory API: User and group management
- Reports API: Usage and audit reports
- Admin Settings API: Domain configuration
- OAuth 2.0: Secure authentication
- Rate Limiting: 2,400 queries/minute
- Batch Operations: Bulk user updates
- Webhooks: Real-time notifications
- Data Export: Compliance and backup
What You Can Do with Google Workspace Admin MCP Server
The MCP server transforms Google Workspace Admin APIs into a natural language interface, enabling AI agents to:
User Management
-
User Operations
- "Create new user account for john.doe@company.com"
- "Reset password for marketing team member"
- "Suspend account for departed employee"
- "Update user profile with new department"
-
Bulk Operations
- "Import 50 users from CSV file"
- "Update all sales team email signatures"
- "Enable 2FA for all administrators"
- "Archive accounts inactive for 90 days"
-
User Search
- "Find all users in engineering department"
- "List users without profile photos"
- "Show suspended accounts from last month"
- "Search users by custom attribute"
Group Administration
-
Group Management
- "Create all-hands distribution group"
- "Add new hire to relevant groups"
- "Remove user from security groups"
- "Convert group to security group"
-
Membership Control
- "List all groups for specific user"
- "Show members of executive group"
- "Add external member with restrictions"
- "Set group email moderation"
-
Group Settings
- "Configure group posting permissions"
- "Enable collaborative inbox"
- "Set up group email aliases"
- "Archive inactive groups"
Organizational Structure
-
OU Management
- "Create organizational unit for new office"
- "Move users to different department OU"
- "Apply policies to specific OU"
- "List all OUs in hierarchy"
-
Policy Application
- "Set storage limits for marketing OU"
- "Disable external sharing for finance"
- "Configure app access by department"
- "Apply security settings to OU"
-
OU Reporting
- "Show user count by OU"
- "List applied policies per OU"
- "Track OU changes over time"
- "Export OU structure diagram"
Device Management
-
Mobile Device Control
- "Wipe lost company phone"
- "Approve new device for user"
- "Block personal devices"
- "Enforce device encryption"
-
Chrome Device Management
- "Configure Chromebook settings"
- "Deploy apps to Chrome devices"
- "Set up kiosk mode"
- "Track device locations"
-
Device Policies
- "Require screen lock on all devices"
- "Set password complexity rules"
- "Configure allowed applications"
- "Enable remote device wipe"
Security Administration
-
Authentication Settings
- "Enable 2-factor for all users"
- "Configure SSO with SAML"
- "Set password policies"
- "Manage API access"
-
Security Monitoring
- "Show failed login attempts"
- "List users with weak passwords"
- "Track suspicious activities"
- "Monitor third-party app access"
-
Compliance Management
- "Enable data loss prevention"
- "Configure vault retention"
- "Set up alert policies"
- "Manage security keys"
Reporting & Analytics
-
Usage Reports
- "Show storage usage by department"
- "Track active users last 30 days"
- "Monitor app adoption rates"
- "Calculate license utilization"
-
Audit Logs
- "Show admin activities today"
- "Track user login history"
- "Monitor file sharing events"
- "Export compliance reports"
-
Custom Reports
- "Generate monthly user report"
- "Create security audit dashboard"
- "Build license optimization report"
- "Design executive summary"
License Management
-
License Assignment
- "Assign Business Plus license to user"
- "Downgrade inactive users to Basic"
- "Transfer license between users"
- "Bulk assign licenses by OU"
-
License Tracking
- "Show available license count"
- "List users by license type"
- "Track license usage trends"
- "Identify unused licenses"
-
Cost Optimization
- "Recommend license downgrades"
- "Calculate potential savings"
- "Optimize license distribution"
- "Forecast license needs"
Prerequisites
- Access to Cequence AI Gateway
- Google Workspace Super Admin access
- Domain verification completed
- API access enabled for domain
Step 1: Enable Admin SDK API
1.1 Access Google Cloud Console
- Go to console.cloud.google.com
- Select or create a project for your domain
- Ensure billing is enabled
1.2 Enable Required APIs
- Go to APIs & Services Library
- Search and enable:
- Admin SDK API
- Admin Reports API
- Admin Settings API
- Directory API
1.3 Create Service Account
- Go to IAM & Admin Service Accounts
- Click Create Service Account
- Name: "AI Gateway Admin SDK"
- Grant roles:
- Service Account Token Creator
- Service Account User
1.4 Configure Domain-Wide Delegation
- Click on created service account
- Go to Details Show Advanced Settings
- Enable Domain-wide delegation
- Copy Client ID
1.5 Authorize in Admin Console
- Go to admin.google.com
- Navigate to Security API Controls Domain-wide delegation
- Add new API client:
- Client ID: From service account
- Scopes: Add required scopes (see scopes section)
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find Google Workspace Admin API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://admin.googleapis.com - Select endpoints:
- Directory API endpoints
- Reports API endpoints
- Settings API endpoints
- Click Next
Step 6: MCP Server Configuration
- Name: "Google Workspace Admin"
- Description: "Enterprise domain administration"
- Configure production mode
- Click Next
Step 7: Configure Authentication
- Authentication Type: OAuth 2.0 with Service Account
- Service Account Key: Upload JSON key file
- Admin Email: Super admin email for impersonation
- Scopes: Configure required scopes
- Click Next
Available Google Workspace Admin OAuth Scopes
User Management
-
https://www.googleapis.com/auth/admin.directory.user- Create and manage users
- Update user profiles
- Suspend/delete accounts
- Manage passwords
-
https://www.googleapis.com/auth/admin.directory.user.readonly- View user information
- List domain users
- Search user directory
- Export user data
Group Management
-
https://www.googleapis.com/auth/admin.directory.group- Create and manage groups
- Control memberships
- Configure group settings
- Delete groups
-
https://www.googleapis.com/auth/admin.directory.group.member- Add/remove members
- Manage member roles
- List group members
- Control permissions
Organizational Units
https://www.googleapis.com/auth/admin.directory.orgunit- Create OUs
- Move users between OUs
- Apply OU policies
- Delete OUs
Device Management
-
https://www.googleapis.com/auth/admin.directory.device.mobile- Manage mobile devices
- Wipe/lock devices
- View device details
- Apply policies
-
https://www.googleapis.com/auth/admin.directory.device.chromeos- Manage Chrome devices
- Configure settings
- Deploy applications
- Monitor usage
Reports & Monitoring
-
https://www.googleapis.com/auth/admin.reports.audit.readonly- View audit logs
- Track admin activities
- Monitor security events
- Export reports
-
https://www.googleapis.com/auth/admin.reports.usage.readonly- View usage statistics
- Monitor adoption
- Track storage
- Analyze trends
Recommended Scope Combinations
For User Management:
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.orgunit
For Full Administration:
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.device.mobile
https://www.googleapis.com/auth/admin.directory.device.chromeos
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
Step 8-10: Complete Setup
Configure security, choose deployment, and deploy.
Using Your Google Workspace Admin MCP Server
With Claude Desktop
{
"servers": {
"google-workspace-admin": {
"url": "your-mcp-server-url",
"auth": {
"type": "service_account",
"domain": "your-domain.com"
}
}
}
}
Natural Language Commands
- "Create user account for new.employee@company.com"
- "Add john.doe to engineering and product groups"
- "Show all users who haven't logged in for 30 days"
- "Enable 2FA for all users in finance OU"
- "Generate monthly license usage report"
API Integration Example
// Initialize MCP client
const mcpClient = new MCPClient({
serverUrl: 'your-mcp-server-url',
auth: {
type: 'service_account',
keyFile: 'path/to/service-account-key.json',
adminEmail: 'admin@your-domain.com'
}
});
// Create user
const user = await mcpClient.googleWorkspace.users.create({
primaryEmail: 'john.doe@company.com',
name: {
givenName: 'John',
familyName: 'Doe'
},
password: 'TempPassword123!',
changePasswordAtNextLogin: true,
orgUnitPath: '/Engineering',
phones: [{
value: '+1-555-1234',
type: 'work'
}],
customSchemas: {
employeeInfo: {
employeeId: 'EMP-12345',
department: 'Engineering',
jobTitle: 'Senior Developer'
}
}
});
// Add to groups
await mcpClient.googleWorkspace.groups.addMember({
groupKey: 'engineering@company.com',
email: user.primaryEmail,
role: 'MEMBER'
});
// Enable 2FA for OU
await mcpClient.googleWorkspace.orgunits.updateSettings({
orgUnitPath: '/Finance',
settings: {
security: {
twoStepVerification: {
required: true,
allowedMethods: ['SMS', 'AUTHENTICATOR_APP']
}
}
}
});
// Suspend inactive users
const inactiveUsers = await mcpClient.googleWorkspace.users.list({
query: 'lastLoginTime<2025-01-01',
maxResults: 500
});
for (const user of inactiveUsers.users) {
await mcpClient.googleWorkspace.users.update({
userKey: user.primaryEmail,
suspended: true,
suspensionReason: 'INACTIVE_90_DAYS'
});
}
// Generate usage report
const report = await mcpClient.googleWorkspace.reports.getUsageReport({
date: '2025-01-15',
parameters: [
'accounts:num_users',
'accounts:gsuite_basic_total_licenses',
'accounts:gsuite_business_total_licenses',
'gmail:num_emails_sent',
'drive:total_storage_in_bytes'
]
});
// Manage devices
const devices = await mcpClient.googleWorkspace.mobiledevices.list({
query: 'status:APPROVED os:Android'
});
for (const device of devices.mobiledevices) {
if (device.securityPatchLevel < '2024-12-01') {
await mcpClient.googleWorkspace.mobiledevices.action({
resourceId: device.resourceId,
action: 'block'
});
}
}
Common Use Cases
User Lifecycle Management
- Automated onboarding
- Department transfers
- Offboarding processes
- Account recovery
Security Administration
- 2FA enforcement
- Password policies
- Device management
- Access control
Compliance & Auditing
- User activity monitoring
- License compliance
- Data retention
- Export for audits
Organizational Management
- Department restructuring
- Policy deployment
- Bulk updates
- Migration projects
Security Best Practices
-
Service Account Security:
- Store keys securely
- Rotate keys regularly
- Limit delegation scope
- Monitor usage
-
Access Control:
- Use least privilege
- Audit admin roles
- Enable alerts
- Review permissions
-
Data Protection:
- Encrypt sensitive data
- Audit API access
- Monitor exports
- Control sharing
Troubleshooting
Common Issues
-
Authentication Errors
- Verify service account setup
- Check domain delegation
- Validate scopes
- Review admin email
-
Permission Denied
- Confirm admin privileges
- Check API enablement
- Verify domain ownership
- Review scope authorization
-
Rate Limiting
- Implement exponential backoff
- Use batch operations
- Cache responses
- Monitor quotas
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Google Admin SDK: developers.google.com/admin-sdk
Copyright © 2025 Cequence Security.