Delegate domain-wide authority to your service account

  1. From your domain's Admin console, go to Main menu > Security > Access and data control > API controls.

  2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

  3. Click Add new.

    • In the Client ID field, enter the client ID obtained from the service account creation steps above.
    • In the OAuth Scopes field, enter a comma-delimited list of the scopes required for the application.

    Use the below scopes:

    • For scanning:
      • https://www.googleapis.com/auth/admin.directory.user.readonly
      • https://www.googleapis.com/auth/gmail.readonly
    • For tagging:
      • https://www.googleapis.com/auth/gmail.modify
      • https://www.googleapis.com/auth/gmail.labels
      • https://www.googleapis.com/auth/gmail.metadata
  4. Click Authorize.