Google Workspace Integration
Connect Extension Auditor to Chrome Browser Cloud Management to inventory extensions across every browser in your organisation.
Connecting Google Workspace turns Extension Auditor into a fleet-wide extension governance tool. We use Google's Chrome Browser Cloud Management (CBCM), Chrome Management, and Admin Directory APIs to enumerate the browsers your organisation manages, the extensions installed on them, and the users they belong to.
Prerequisites
You'll need:
- A Google Workspace subscription (any tier that includes Chrome Management).
- Chrome Browser Cloud Management enrolled for the browsers you want visibility on. If you haven't enrolled browsers yet, follow Google's Chrome Browser Cloud Management setup guide.
- A user with the Super Admin role in Google Workspace, or a delegated admin with rights to:
- View and manage Chrome browsers
- View Chrome Management reports and app details
- Read organisational units
- Read admin audit logs
- An Extension Auditor team workspace. (Personal accounts can scan individual extensions but cannot connect a Workspace.)
Choosing a connection method
| Service Account (Recommended) | OAuth | |
|---|---|---|
| Setup work | One-time domain-wide delegation in the Admin Console | One-time browser sign-in by a Super Admin |
| Where the credentials live | Server-side service account managed by Extension Auditor | Refresh token issued to the signing admin |
| What happens if the admin leaves | Nothing — delegation is org-scoped | Token can be revoked; integration breaks until reauthorised |
| Sign-in required for daily sync | No | No (refresh token), but OAuth grants can lapse on policy changes |
| Best for | Production deployments, compliance-driven orgs | Trying the integration quickly, single-admin shops |
In both cases the scopes granted are identical, so the data Extension Auditor can read is the same. The difference is how Google issues the access token to us and what happens to that grant over time.
→ Set up via Service Account (Recommended) → Set up via OAuth
Scopes Extension Auditor requests
Both methods use the same nine OAuth scopes. The first six are read-only — the three read-write scopes are reserved for upcoming policy management and re-enrolment features and are not used for routine inventory sync.
Read-only (used for discovery and risk analysis):
| Scope | Purpose |
|---|---|
admin.directory.device.chromebrowsers.readonly | Enumerate enrolled Chrome browsers |
chrome.management.reports.readonly | Pull installed-app reports per browser |
chrome.management.appdetails.readonly | Resolve extension metadata and risk indicators |
chrome.management.policy.readonly | Read currently-applied extension policy |
admin.directory.orgunit.readonly | Group browsers by organisational unit |
admin.reports.audit.readonly | Surface install / uninstall audit events |
Read-write (granted now to support future workflows; not used until you opt in):
| Scope | Purpose |
|---|---|
admin.directory.device.chromebrowsers | Future: re-enrol or update browsers |
chrome.management.policy | Future: push allow/blocklist policies from Extension Auditor |
admin.directory.orgunit | Future: scope policies to org units |
If you'd prefer a strictly read-only grant for now, the OAuth flow itself works against a read-only subset — but the in-product setup wizard authorises the full list because that's what's required for forthcoming policy features. Removing scopes mid-flow will trigger a "scope mismatch" error in the connection test; see the troubleshooting guide.
What we store
After a successful sync we store, per integration:
- The Google customer ID for your Workspace tenant
- For Service Account integrations: the Workspace domain and the admin email used for delegation
- For OAuth integrations: an encrypted refresh token plus the access token's expiry
- The browser, extension, user, and org-unit records returned by the APIs
- A timestamped sync log with success / failure status and any error message
We never store user passwords, browsing history, web requests, or extension content. The CBCM APIs don't expose that data and Extension Auditor doesn't ask for it.
Disconnecting
You can disconnect an integration at any time from Settings → Integrations → Google Workspace → Disconnect. Disconnecting removes the stored credentials and all discovered browser, extension, and user records for that integration. Any extension monitors you've configured remain — they just stop receiving Workspace-derived signals until you reconnect.
Next steps
- Service Account setup walkthrough — recommended for production
- OAuth setup walkthrough — fastest to get started
- Troubleshooting common setup errors
- Google Chrome Enterprise docs:
