Google Workspace Integration

Connect Extension Auditor to Chrome Browser Cloud Management to inventory extensions across every browser in your organisation.

Connecting Google Workspace turns Extension Auditor into a fleet-wide extension governance tool. We use Google's Chrome Browser Cloud Management (CBCM), Chrome Management, and Admin Directory APIs to enumerate the browsers your organisation manages, the extensions installed on them, and the users they belong to.

Prerequisites

You'll need:

  1. A Google Workspace subscription (any tier that includes Chrome Management).
  2. Chrome Browser Cloud Management enrolled for the browsers you want visibility on. If you haven't enrolled browsers yet, follow Google's Chrome Browser Cloud Management setup guide.
  3. A user with the Super Admin role in Google Workspace, or a delegated admin with rights to:
    • View and manage Chrome browsers
    • View Chrome Management reports and app details
    • Read organisational units
    • Read admin audit logs
  4. An Extension Auditor team workspace. (Personal accounts can scan individual extensions but cannot connect a Workspace.)

Choosing a connection method

Service Account (Recommended)OAuth
Setup workOne-time domain-wide delegation in the Admin ConsoleOne-time browser sign-in by a Super Admin
Where the credentials liveServer-side service account managed by Extension AuditorRefresh token issued to the signing admin
What happens if the admin leavesNothing — delegation is org-scopedToken can be revoked; integration breaks until reauthorised
Sign-in required for daily syncNoNo (refresh token), but OAuth grants can lapse on policy changes
Best forProduction deployments, compliance-driven orgsTrying the integration quickly, single-admin shops

In both cases the scopes granted are identical, so the data Extension Auditor can read is the same. The difference is how Google issues the access token to us and what happens to that grant over time.

Set up via Service Account (Recommended) Set up via OAuth

Scopes Extension Auditor requests

Both methods use the same nine OAuth scopes. The first six are read-only — the three read-write scopes are reserved for upcoming policy management and re-enrolment features and are not used for routine inventory sync.

Read-only (used for discovery and risk analysis):

ScopePurpose
admin.directory.device.chromebrowsers.readonlyEnumerate enrolled Chrome browsers
chrome.management.reports.readonlyPull installed-app reports per browser
chrome.management.appdetails.readonlyResolve extension metadata and risk indicators
chrome.management.policy.readonlyRead currently-applied extension policy
admin.directory.orgunit.readonlyGroup browsers by organisational unit
admin.reports.audit.readonlySurface install / uninstall audit events

Read-write (granted now to support future workflows; not used until you opt in):

ScopePurpose
admin.directory.device.chromebrowsersFuture: re-enrol or update browsers
chrome.management.policyFuture: push allow/blocklist policies from Extension Auditor
admin.directory.orgunitFuture: scope policies to org units

If you'd prefer a strictly read-only grant for now, the OAuth flow itself works against a read-only subset — but the in-product setup wizard authorises the full list because that's what's required for forthcoming policy features. Removing scopes mid-flow will trigger a "scope mismatch" error in the connection test; see the troubleshooting guide.

What we store

After a successful sync we store, per integration:

  • The Google customer ID for your Workspace tenant
  • For Service Account integrations: the Workspace domain and the admin email used for delegation
  • For OAuth integrations: an encrypted refresh token plus the access token's expiry
  • The browser, extension, user, and org-unit records returned by the APIs
  • A timestamped sync log with success / failure status and any error message

We never store user passwords, browsing history, web requests, or extension content. The CBCM APIs don't expose that data and Extension Auditor doesn't ask for it.

Disconnecting

You can disconnect an integration at any time from Settings → Integrations → Google Workspace → Disconnect. Disconnecting removes the stored credentials and all discovered browser, extension, and user records for that integration. Any extension monitors you've configured remain — they just stop receiving Workspace-derived signals until you reconnect.

Next steps