FAQ: Google Workspace Directory Integration

The following are Frequently Asked Question regarding JumpCloud's Google Workspace Directory Integration.

Integrating

What method does JumpCloud use to connect to Google Workspace?

JumpCloud Utilizes OAuth to secure and persist its connection with Google to perform our integration tasks. Integrations logs detailing the Google Workspace JumpCloud OAuth connection can be seen within the Google Admin portal under the Reports > Activity Audit > OAuth Token report.

Can I use Google Workspace MFA with JumpCloud?

Yes, Google Workspace MFA is supported in JumpCloud. JumpCloud's MFA can also be used in conjunction with Google Workspace MFA if both layers are desired.

Will Google Workspace users created through the JumpCloud/Google Workspace integration be created with Google Workspace licenses?

Users created via the JumpCloud / Google Workspace integration will follow the "Auto-Licensing" rules configured within the Google Workspace admin console. These settings can be seen in the "Billing" section of the Google Workspace admin console.

How can I see a report on the actions coming through the JumpCloud/Google Workspace integration?

Within the Google admin console, all events occurring via the JumpCloud / Google Workspace integration are logged in the Reports > Admin report. Events are logged under the admin account that authorizes the OAuth connection in JumpCloud. It is best practice to create a dedicated Google Workspace admin account to authorize the JumpCloud / Google Workspace OAuth connection. 

When I deactivate my connection with Google Workspace from JumpCloud, what happens to user accounts in Google?

When the OAuth session is deactivated in JumpCloud, all users in Google will remain active and functioning. Within JumpCloud, all user accounts remain active as well.  All accounts will be unbound from the Google Workspace Directory. When and if the products are reactivated, the admin will need to re-bind the users to the Google Workspace Directory to re-establish the connection and ownership control of the accounts in Google. 

I currently use the Active Directory Bridge to import Users from AD. Can I use JumpCloud’s Google Workspace user provisioning or Microsoft 365 at the same time?

While this was previously not a supported configuration, use of the Active Directory Bridge can indeed be used when either Google Apps or Microsoft 365 User Provisioning are enabled.

Does JumpCloud allow an administrator to manage multiple email domains?

Yes, JumpCloud can manage email addresses in different domains. Need help? See the Google Workspace Multiple domains FAQ.

Can JumpCloud integrate with multiple Google Workspace accounts?

Yes, you can integrate multiple Google Workspace directories / accounts with JumpCloud.

Can avatars uploaded in Google be migrated to JumpCloud?

At this time, JumpCloud doesn't support avatar import to JumpCloud user accounts.

Can the Google Workspace and Microsoft 365 Directory Integrations be used in tandem?

The Google Workspace and Microsoft 365 Directory integrations can be used together to successfully synchronize both service providers with JumpCloud.  The directory integrations utilize the user's email address as the unique identifier for synchronization.  Due to this architecture, your domain records may need to be mapped so that the same email address is used between all service providers.  For more information refer to the follow vendor-specific documentation:

Importing

What happens during import when a user exists in Google Workspace and there is already a matching user in the JumpCloud Directory?

Upon import, you will see a failure for this user to import as the account with the same email already exists. 

When importing users from Google Workspace, why do I see suspended users and accounts I have previously imported?

JumpCloud's Google synchronization UI displays all of your Google users, regardless of whether they are suspended and/or previously imported. We will provide filtering mechanisms in the future. 

Can I import Organizational Units and Groups from Google Workspace to JumpCloud?

At this time, only user accounts are supported between JumpCloud and Google Workspace. OU and Group membership management should continue to be managed in Google directly. 

We have multiple JumpCloud Administrators using the Admin Portal. Do they each need to log in to Google to do import tasks?

No. Once the Super Admin credentials have been authenticated, the connection to Google Workspace, regardless of Administrator, can perform importation and provisioning tasks. 

What user state is an imported user assigned?

The default user state is determined by the value set for Application / Directory Integrations (creation method) in Settings > User Management > Default User State for User Creation > Application / Directory Integrations

Provisioning

Can I prevent the automated email from being sent to my employees when I bind them to Google Workspace?

While an admin can prevent an automated email from being delivered to the end user when creating the account inside of JumpCloud by specifying an initial password (Get Started: Users), binding a user to Google Workspace will send an email to the employee. We recommend educating the employee base first before binding them to Google Workspace so the email is expected. 

After creating and immediately importing an account from Google to JumpCloud and providing this user with a temporary password in Google, my users indicate their passwords must be changed in Google. What causes this?

This is generally caused by the Require user to change password at next sign-in setting within the Google User Account being set to true. This is found in the individual User’s “Account” settings within Google. It is advised that this setting be turned to false; JumpCloud will act as the authoritative source of password synchronization, and all password changes must originate from it. Users can then reset their strong password in JumpCloud, and log in with those credentials. 

When provisioning users from JumpCloud to Google Workspace, why are users immediately placed into a suspended state?

A: If you are utilizing a Google Workspace trial account, this is a known limitation for API-created users until your instance is upgraded to a paid account. In order to remove the suspended user state on a newly created Google Workspace account, the user must attempt a login to the account in order to complete Google's verification steps. This is to prevent malicious activity on trial accounts, and to require that users complete validation prior to being placed into an active state. 

Synchronization

How can I suspend an account in Google Workspace?

The administrator can unbind the user from the Google Workspace directory in JumpCloud, which will trigger the user in Google to be suspended. Re-binding the user will re-activate the user in Google.  

When I delete an account in Google, what happens in JumpCloud?

The user remains unchanged in JumpCloud. If you wish to remove the user from JumpCloud, these actions must be performed manually in the JumpCloud Admin Portal.

Note:

Should the user need to be re-provisioned from JumpCloud to Google, Google will often require up to 4-5 days before releasing the same email address to be used again. 

Credentials

How does JumpCloud’s password complexity requirements work with Google Workspace?

JumpCloud's password complexity works with Google Workspace-synced users just as with any other JumpCloud user and wherever their credentials are being used. Any attempt by a JumpCloud user to change their password in the JumpCloud User Portal to one that does not meet JumpCloud's complexity requirements will fail. This does not, however, prevent the user from changing their password in their Google account to a non-compliant password. Since JumpCloud is the password authority, any change to the user in JumpCloud will overwrite the non-compliant password in Google with the compliant JumpCloud password.

Note:

When synchronizing between JumpCloud and Google Workspace, the password must be compliant with Google's name and password guidelines.

Be aware that passwords must be created with 12 or more characters. Passwords can be any combination of letters, numbers, and symbols (ASCII-standard characters only), or users won't sync from JumpCloud to Google Workspace. 

What happens when a JumpCloud user has their password expire due to JumpCloud’s password complexity requirements?

The user’s Google account is suspended, blocking the user from accessing their account. The admin must set a new password for the user in JumpCloud to re-activate the user’s Google account.

Can an employee change their password in Google Workspace?

Employees shouldn't change their password from Google Workspace's password change system because it won't update in JumpCloud and users could get locked out. We suggest referring to Require Users to Change Google Workspace Passwords in JumpCloud to prevent this.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case