This step authorizes your service account to read the directory. It must be done by a Google Workspace super admin in the Google Admin console.
- Go to admin.google.com as a super admin.
- Open Security → Access and data control → API controls.
- Click Manage Domain Wide Delegation.
- Click Add new and enter:
- Client ID: the Client ID from your service account (from the previous step)
- OAuth scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize.
⏱ After authorizing, wait 2–5 minutes for Google to apply the change before syncing.
Only this single read-only scope is needed — Workspace Sync never requests write access.