To authorize other applications to access domain-wide data of Gmail and Google Drive users, delegate domain-wide authority to the service account.
For instructions on delegating domain-wide authority, go to the Google Identity Platform website, Delegating domain-wide authority to the service account.
Enter the following G Suite, Gmail, and Google Drive API scopes that your application will access:
https://mail.google.com/, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.user.alias, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/drive
Note
-
After you delegate domain-wide authority, you can see the application Client ID. You will need this information when you create a virtual client.
-
If you plan to use an already created project by your organization, create a new service account under the project.
-
Enable domain-wide delegation for the service account.
-
Enter the following OAuth 2.0 scopes for the services that the service account can access:
https://mail.google.com/,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/admin.directory.user.security