Configure User Sync for Google Workspace

Description

Mailprotector supports User Sync with Google Workspace tenant domains to simplify and automate user management in the Mailprotector Console. This synchronization ensures that all Google Workspace mailboxes are accurately reflected in the Console, making it easy to assign Mailprotector’s email security products. When a mailbox is removed from Google Workspace, the corresponding user is also automatically removed from the Console.

Applies to:

Google Workspace, G Suite, Console, User Sync, User Source

Prerequisites

The Google Workspace tenant domain must be configured and contain at least one mailbox user. Enabling Directory Synchronization requires a Super Admin account for the Google Workspace domain. A standard mailbox user will not have permission to communicate with the Google Workspace API for synchronization.

The User Sync API domain for Mailprotector is emailservice.io. Setting up Google Workspace User Sync must be done from https://emailservice.io. Once configured, you may access the Console using your branded URL.

Configuring User Sync

Preparing the Domain in the Mailprotector Console

1. Log in to the Console with your Manager account.

2. Navigate to the domain where you wish to add User Sync.

3. Select the User Sync tab.

4. Scroll down to the section labeled User Sources and click Add.

Do not enable User Sync until after you have confirmed the source is adding users correctly with a manual Preview.

5. Click Choose under the Google logo.

6. Under the Source tab, click the Connect Google Workspace button, then log in to the Google Workspace tenant domain you are configuring. Be sure to use a Super Admin account for the domain. 

 7. After successfully logging into Google Admin, you will be presented with a permission request to allow Mailprotector to view groups on your domain and see information about users on your domain so that User Sync functions correctly. Be sure the account you signed in to has admin permissions. Click the Allow button to continue.

8. You will return to the Edit User Sync screen in the Console. A successful connection will result in a choice to Disconnect Google Workspace appearing in the Sources tab. Leave this choice as-is; do not click the button to disconnect. You can now select the blue back arrow to navigate to the User Sync tab.

If you received an error attempting to connect to Google Workspace, check the Errors Connecting Google Workspace to the Mailprotector Console section below.

9. Once you return to the User Sync section, enable the Google Workspace User Source and click Sync and Save. This will pull the user list into the Console immediately. It should display a list of users that will be added to the Console over the next one to five minutes.

10. Click the slider at the top of the page to turn on Enable automatic user sync.

Users' email accounts will need to be fully configured in Google Workspace before User Sync can add the users to the Mailprotector Console.

The User Sync tool will create a user in the Mailprotector Console for each domain address and mailbox in Google Workspace. With the exception of Users and Discovered Users, all other user types in the Console will be marked accordingly and are non-billable users. Please see Definition and Billing of User Types for more information.

Optional: Adding Filters and Destination groups

User Sync will direct addresses to the Main Group by default.  If you need to direct certain users to different groups, you may change which users are targeted using the Filters tab of the User Source created in Step 5 above. You can then change which group those users are placed into by changing the Destination group.

The Filters section fields may auto-populate with available Google Workspace fields as you begin typing. Some of the available API fields are:

• emails
• id
• include_in_global_address_list
• is_mailbox_setup
• list_type
• name
• primary_email

Errors Connecting Google Workspace to the Mailprotector Console

If you receive an error when configuring User Sync, please refer to these suggested solutions:

1. Showing 0 to 0 of 0 entries.

To fix a failed Sync, ensure that the account used to Connect Google Workspace is a Super Admin account and try again.

2. Access blocked: This app’s request is invalid. (Error 400: redirect_uri_mismatch)

To fix failed access to the Mailprotector App, sign out of your Manager account in the Mailprotector Console then go to the link https://emailservice.io to sign back in to your Manager account.

3. API Access is Restricted.

To fix this and Enable API Access:

1. Log in to the Google Workspace Admin Console.
2. Go to Security > Access and Data Control > API Controls > Manage Google Services.
3. Find Google Workspace Admin and select Change Access.
4. Select Unrestricted: Any user-approved app can access a service and click Change to enable API Access.

If none of these solve the issue, please disconnect and reconnect the sync source, as detailed below.

Disconnect the Existing Google Workspace User Source

1. Sign in to the Mailprotector Console using the unbranded link.
2. Navigate to the affected domain's User Sync tab, then down to User Sources. Note any customizations under the Filters, Destination, and Advanced tabs.
3. Click on Disconnect Google Workspace.

Reconnect the Google Workspace User Source

1. Click Connect Google Workspace and sign in using a Superuser account of the tenant.
2. Click on the Filters, Destination, and Advanced tabs to ensure customization noted during the disconnect process is included.

Test the User Sync

Scroll down to Manual Sync and click Preview. If all looks correct, scroll to the top of the User Sync page and click to Enable automatic user sync. 

Updated October 24, 2025 21:04