This article will explain how to configure Google Workspace Synchronisation and Gmail Active Delivery. This will allow you to synchronise your users to the platform and allow direct delivery to your user's Gmail mailboxes. Configuring Gmail Active Delivery will allow our simulated phishing emails to bypass most Gmail scanning and classification.
Please note, only one Active Integration should be added to an account. If you require multiple Active Integrations, please contact your Customer Success Manager or support@phishingtackle.com about enabling the Partner Portal.
- Part 1 - Enabling the Admin SDK (Required for Google Workspace Synchronisation) and Gmail API (Required for Google Gmail Active Delivery)
-
Part 2 - Creating a Service Account (Required for Google Synchronisation and Delivery)
-
Part 5 - Add a domain wide delegation user (Required for Google Workspace Synchronisation)
Part 1 - Enabling the Admin SDK (Required for Google Workspace Synchronisation) and Gmail API (Required for Google Gmail Active Delivery)
Note: You'll need access to the Google API console to complete this step.
To enable the Admin SDK and Gmail API from the Google API console:
- Log on to the Google API Console at https://console.developers.google.com.
- Create a Project with the name of "Phishing Tackle Gmail Delivery". See the Creating a Project page in the Google Workspace technical documentation for further details.
- Once the project is created, select it using the drop-down button at the top of the Google Cloud Console.
- Next open the side menu by clicking the three horizontal lines in the above image and select APIs & Services | Enabled APIs and services (Steps 1 & 2) in the below image. NOTE: This page may already be displayed.
- When the Dashboard opens, click ENABLE APIS AND SERVICES as per the below image.
- Enable the API for the service you would like to use.
To configure Google Workspace Synchronisation, you must enable Admin SDK API.
- On the Welcome to the API Library page, search for "Admin SDK API"
- Select the "Admin SDK API" tile and click "Enable".
To configure Google Gmail Active Delivery, you must enable Gmail API.
- On the Welcome to the API Library page, search for "Gmail API"
- Select the "Gmail API" tile and click "Enable".
Please ensure you have the correct settings enabled for the service you are trying to use.
- Admin SDK API - Is required if you want to use Google Workspace Synchronisation.
- Gmail API - Is required if you want to use Google Gmail Active Delivery.
Part 2 - Creating a Service Account (Required for Google Synchronisation and Delivery)
Note: You'll need access to the Google API console to complete this step.
To create a Service Account from the Google API Console:
- Log on to the Google API Console at https://console.cloud.google.com and select the Phishing Tackle Gmail Delivery project from the list at the top.
- Open the side menu by clicking the three horizontal bars at the top left and select IAM & Admin | Service Accounts.
- Click CREATE SERVICE ACCOUNT which can be found at the top of the page.
- On the Create service account page enter the following details (the Service account ID will populate automatically once you start typing the Service account name) and click CREATE.
Service account name Phishing Tackle Gmail Delivery Service account description (this may be changed to suit your requirements) Allow the direct delivery of simulated phishing emails to end-user mailboxes
- When the Select a role option is shown, select Service Accounts | Service Account User as per the following image:
- Select DONE.
- On the Service accounts for project "Phishing Tackle Gmail Delivery" page, select the vertical ellipsis (three vertical dots) on the far-right side of the new Service Account you just created and select Manage Keys :
- On the Keys page select ADD KEY and then Create new key from the drop-down menu:
- Select the JSON radio button from the Create private key for "Phishing Tackle Gmail Delivery" dialog box and click CREATE.
- After the key is created you will be prompted to save the .json file.
Note: Please ensure this is saved to a secure private location as you will need this file to upload to your Phishing Tackle account.See this link details Google's recommendations on securely storing this file. - Once the key is saved, you should see the following message. Click Close.
- Click DETAILS from the list of tabs under the name of your Service Account.
- On the Service account details page, click "SHOW ADVANCED SETTINGS" link which should then expand.
- You should now see a value in the Client ID box.
** MAKE A NOTE OF THIS CLIENT ID AS YOU WILL NEED IT IN THE NEXT PART OF THE ARTICLE **
Part 3 - Authorising the Service Account's Client ID (Required for Google Workspace Synchronisation and Gmail Active Delivery)
Note: Please see the Google Workspace Domain Wide Delegation documentation found here if you require further clarity surrounding this subject.
To authorise the Service Account's Client Id from the Google API Console:
- Log on to the Google Admin Console at https://admin.google.com/.
- Click on the menu item "Show More".
- Click on the menu item "Security" > click "Overview".
- Click the API controls section (you may need to scroll down the page to find it).
- On the API controls page, select MANAGE DOMAIN WIDE DELEGATION (you may need to scroll down the page to find it).
- On the Domain-wide Delegation page click the Add New button.
- Enter the Client ID from Part 2 Stage 14.
- Enter the OAuth Scopes for the service you would like to configure.
The following OAuth Scopes (permissions) for Google Synchronisation and Delivery can be added to the same API Client if you intend to use both. We will also explain what to do if you decide to only use Google Synchronisation or Delivery not both. All three methods are explained below.
To use Google Synchronisation and Active Delivery - You can create a single API Client with all required OAuth scopes. Please ensure your OAuth scopes are the same as the box below.
Client ID Enter the value from Part 2, Step 14 above. OAuth scopes (comma-delimited) https://www.googleapis.com/auth/gmail.insert https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonlyNOTE: This process grants us access ONLY to insert new emails into the mailbox. We DO NOT have access to read, alter, or delete any emails.
Client ID Enter the value from Part 2, Step 14 above. OAuth scopes (comma-delimited) https://www.googleapis.com/auth/gmail.insert NOTE: This process grants us access ONLY to insert new emails into the mailbox. We DO NOT have access to read, alter, or delete any emails.
Client ID Enter the value from Part 2, Step 14 above. OAuth scopes (comma-delimited) https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly - Click Authorize.
Part 4 - Upload the JSON file to the Phishing Tackle platform (required for Google Active Delivery and Synchronisation)
- Log on to the Phishing Tackle Platform at https://uk.phishingtackle.com.
- Navigate to SETUP > Organisation > Settings > Active Integrations and click + ADD INTEGRATION.
- From the dropdown menu, select Google Workspace.
- From the Add New Integration box, click BROWSE and select the .json file you saved while creating a service account earlier (Part 2 - Creating a Service Account), then hit SAVE.
- You'll now see your Google Workspace integration.
Once this has been completed Google Gmail Active Delivery has now been configured. You should now be able to select Google Gmail Active Delivery from the simulated phishing campaign creation wizard within your platform.
Part 5 - Add a domain wide delegation user (Required for Google Workspace Synchronisation)
- In the left-hand column navigate to SETUP > Organisation > Settings > Active Integrations.
- For your previously created Google Workspace integration click on the drop-down arrow then > click edit.
- Specify the Domain Wide Delegation User (please note this must be the email address of the admin that created the JSON file).
- Click save.
Please note, once your Active Integration is configured, you can click the drop-down arrow to start a manual synchronisation. However, it's important to understand that starting a manual synchronisation should only be used if a problem has been identified with your existing synchronisation.
This is because a manual synchronisation will remove and re-add all recipients in your campaigns or training courses, which can be disruptive to ongoing phishing campaigns or training courses.
If you require any further help on this, or any aspect of our platform, please contact our support team by clicking here.