Welcome to
Help Desk

Product Updates
Ideas Contact Support

Google Drive and Gmail Classification


The article covers information on adding Google Drive and Gmail as Cloud Content Sources in a Secure & Govern tenant.

Scanning Google Drive covers all content in user and team drives and provides some remediation options for unpermitted sensitive content.

Scanning Gmail covers content in emails and attachments sent to, from, and between mailboxes within the Google Workspace instance. Many regulatory compliance policies apply to email. Furthermore, email is a common medium through which sensitive information is shared and Egnyte can discover the most sensitive discussions happening over email.

Steps for connecting Google Drive and Gmail are almost identical with the exception of the step where domain-wide delegation is configured where a different set of Oauth scopes are required.

The user can use the same service account for both Gmail and Google Drive to add both sets of Oauth scopes when configuring domain-wide delegation. If they have already set up one source, the user can use the same service account with the other source by extending the list of API scopes available to the service account with the required additional scopes.

Prerequisites for Setting Up Google Drive and/or Gmail

  • GSuite domain with super-admin privileges


Configure Service Account


  • Go to the service accounts management screen: IAM & Admin -> Service Accounts. It should display the list of already configured service accounts.
  • Create a new service account and proceed with the creation wizard.


  • Choose a name and description for the service account. Select the defaults on the subsequent screens.






  • Create a private key for the service account. The key will have to be exported to P12 format and downloaded to the local hard drive.






  • Record the service account client ID and email in the details view in the service accounts list


  • Click Save.


Enable APIs in Google Cloud Console

  • Go to APIs & Services -> Enabled APIs to view the summary of currently used APIs
  • For Google Drive Classification, ensure that the Google Drive API and Admin SDK are visible and enabled in the list (if not, choose the Enable APIs and Services option to enable them). For Gmail Classification, ensure that the Gmail API and Admin SDK are visible and enabled (if not, choose the Enable APIs and Services option to enable them).








Configure Domain-Wide Delegation

  • Go to GSuite Admin console.
  • Log in as a user with a Super Admin role
  • (Optional) Create a dedicated user for the purpose of Egnyte connection. Alternatively, the user can use the user account with which they are logged in.


  • Ensure that the user has Super Admin role. If not, assign the required role.




  • Go to Dashboard -> Security -> Access and Data Control -> API Controls


  • Navigate to Domain-Wide delegation configuration


  • Add a new API client corresponding to the service account created in the previous steps.



  • As a result, the client should be visible on the list:


Add the Google Drive and/or Gmail Content Source in Egnyte

  • In the Secure and Govern Admin Panel, go to Settings -> Content Sources -> Add Cloud Source and select Google Drive or Gmail depending on which source is being adding.
  • Enter the source information.
    Service account email is the email of the service account configured in the previous steps. It can be obtained by clicking on View Client ID in the service accounts list in the Google Cloud console.
    Service account user is the GSuite user who has the Super Admin role. It is either the user account by which the GSuite domain is managed or a dedicated account for Egnyte connection.
    File with private key is the private key generated for the service account and saved to the local drive. It has to be saved in P12 format.

  • Allow the connector to communicate with Secure and Govern


  • When the process is complete, the user should see the confirmation of the successful connection of the source.


  • For Gmail, once the connection is successful, the user will be prompted to select the Gmail groups that you want to scan with Egnyte. They can also specify if they want users who are not part of any groups to be scanned individually.

  • For GDrive, they will be prompted to select the Organizational Units (OUs) groups they want to scan with Egnyte.

Secure and Govern_GDrive and Gmail Classification_20.png

If cancelled before finalizing this step, the source will stay in a not configured state until that step is completed.


After the initial configuration, the user can change the settings at any time in the source configuration details



Remediation Options for Sensitive Content in Emails

When reviewing sensitive content in emails, the user has the option to delete emails with unpermitted sensitive content within the email body or attachments. Deleted emails are sent to Trash after which they are purged based Trash purge settings in Gmail. To delete emails with unpermitted sensitive content choose Fix > Delete Sensitive Email Data in the Sensitive Content Details section when a sensitive content location is selected.


Delete Sensitive Email Data from the Sensitive Content View

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.