#Configure Custom Google App Profiles (Recommended)

For Google tenants, using a default service app may encounter throttling issues caused by Google quota limits. If performance is a concern, consider configuring a custom Google app for your organization. To configure custom Google app profiles, first Create a Custom Google App, then Consent to Custom Google Apps.

*Note: Before you create an app profile, you must ensure that the tenant has been connected to AvePoint Online Services. For more details on connecting tenants, refer to Connect Tenants.

#Create a Custom Google App

You can refer to the instructions below to create a custom Google app.

#Step 1: Create a New Project and Enable APIs

Refer to the instructions below to create a new project and enable APIs. Note the following:

#Create a New Project (Optional)

Follow the steps below to create a new project:

1. Go to .

2. Click the current resource.

   

3. Click New project.

4. Complete the Project name, Organization, and Location fields.

5. Click Create.

#Enable APIs

Follow the steps below to enable Google APIs:

1. Go to the .

2. Click the current resource to expand the projects list, and then select the project you want to use.

   *Note: The user that can enable APIs for a project must be the project owner.

   

3. Click Enable APISand services.

   ![Click "Enable APIS and services". ](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-google-tenants/images/image41.png "Click "Enable APIS and services". ")

4. The API library page appears.

   

5. Search for and enable APIs that are required by your services. Refer to the following links to view required APIs.

   • Fly

     • Gmail migration: and

     • Google Drive migration: and

   

6. Click the API that you want to enable, and then click Enable.

   ![Clicking "Enable".](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-google-tenants/images/image44.png "Clicking "Enable".")

#Step 2: Turn off Policies and Create a Service Account

To create the service account, first make sure your organization has turned off the policies that disable service account creation. Note the following:

#Turn off the Policies that Disable Service Account Creation

Before creating a service account, make sure the Disable service account creation, Disable service account key creation, and Disable service account key upload policies are turned off. You can refer to the steps below to turn off the policies:

1. If you are required to have the Organization Policy Administrator role to Manage policy, refer to the instructions below to add the Organization Policy Administrator role:

   

   1. Go to .

   2. In the resource list, select the organization of the project where you want to create the service account.

      

   3. Refer to the following instructions based on your scenario:

      • If you want to add a new principal, click Grant access. In the panel of granting access, enter your account in the New principals field, select the Organization Policy Administrator role from the Role drop-down list, and click Save.

        

      • If you want to edit an existing principal, click the Edit principal button next to the principal. In the panel of editing access, click Add another role, select the Organization Policy Administrator role from the Role drop-down list, and click Save.

        

2. Go to .

3. In the resource list, select the project where you create the service account.

   

4. From Disable service account creation, Disable service account key creation, and Disable service account key upload policies, click the policy that you want to turn off.

   

5. After you click a policy, the policy details page appears, and you can follow the steps below to turn off a policy:

   1. Click Manage policy.

   2. Select Override parent's policy to set a unique policy for this project.

      

   3. Click Add a rule to add a new rule.

      ![Clicking "Add a rule".](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-google-tenants/images/image52.png "Clicking "Add a rule".")

   4. Select Off to disable the enforcement of the new rule, and click Done.

      

   5. Click Set policy.

#Create a Service Account

Refer to the steps below to create a service account and a client ID:

1. Go to the .

2. Navigate to APIs & Services > Credentials.

3. Click Create credentials and select Service account.

   

4. Enter a service account name and a service account ID. Then, click Done.

   

5. Click the service account, and then click the Keys tab.

6. Click Add Key, and then click Create new key.

   

7. Select the JSON key type and click Create. The downloaded file contains important information for the configuration in the following steps, and you must store the file securely as it can’t be recovered if lost.

   

#Step 3: Configure OAuth Scopes

You can refer to the instructions below to configure scopes:

1. Go to , and then navigate to Security > Access and data control > API controls.

2. Click MANAGE DOMAIN WIDE DELEGATION.

   

3. Click Add new.

4. Add the client ID and OAuth scopes. After you finish the configuration, click AUTHORIZE.

   

   Note the following:

   • To get the client ID, you can open the private key file (downloaded when you Create a Service Account), or go to the Credentials page.

     

   • The configured scopes should be the same as the scopes added to the app. You can add required permission scopes to a custom Google app by referring to the following sections:

     • Fly

       • Gmail migration: and

       • Google Drive migration: and

     *Note: You must add the permission scopes that are exactly required. For example, the https://www.googleapis.com/auth/drive.readonly scope cannot be replaced by the https://www.googleapis.com/auth/drive scope. It is recommended that one custom Google app is configured for one service only.

After you finish configuring scopes for the custom Google app, go to AvePoint Online Services and navigate to Management > App management to create an app profile and consent to the custom Google app. For more details, refer to the Consent to Custom Google Apps section.

#Consent to Custom Google Apps

Refer to the following instructions to configure app profiles for custom apps and consent to custom apps.

1. Navigate to Management > App management, and then click Create.

2. Select services – Select a tenant and select services for which you want to create app profiles. Click Next.

3. Choose setup method – Select the Custom mode option. Note that the Custom mode option only appears when the selected services support custom apps.

4. Consent to apps – Refer to the instructions in the following sections to consent to a custom Google app.

   1. App profile name – Enter a name for the profile.

   2. Admin account – Enter the name of the Admin account that has the required privileges/roles. Refer to the table below for the required privileges/roles that vary with different features. For additional details, refer to the Manage Admin Roles and Privileges section below.

Service	Function/Module	Admin account permissions
Cloud Backup for Google Workspace	User services protection (including Gmail, Drive, Calendar, Contacts, and Chat)	Admin API privileges: Users > Read
Cloud Backup for Google Workspace	Shared drives protection	Admin console privileges: Drive and Docs > Settings
Cloud Backup for Google Workspace	Google Vault protection	Admin console privileges:Google Vault > View All MattersGoogle Vault > Manage ExportsGoogle Vault > Manage Holds
Cloud Backup for Google Workspace	Google Classroom protection	Super Admin
Cloud Backup for Google Workspace	Google Directory protection	Admin console privileges: Security Center > This user has full administrative rights for Security Center > Audit and Investigation > ViewAdmin API privileges:Groups > Create, Read, and UpdateUsers > Create, Read, and Update Custom Attributes
Fly	Gmail migration	Admin API privileges:Users > ReadGroups > ReadAdmin console privileges:Calendar > All Settings > Buildings and Resources > Room InsightsReportsMake changes to events permission to the calendar, or assign the Super Admin role to the Admin account. See more details in the Fly user guide.
Fly	Google Drive migration	Admin console privileges:Users > ReadDrive and Docs > SettingsReportsContent manager of shared drives See more details in the Fly user guide.
Insights	All features for Google Workspace	Super Admin
Confidence Platform for Google	Administration	Super Admin
Confidence Platform for Google	Governance	Super Admin
Confidence Platform for Google	Risk Intelligence	● Super Admin, or the following privileges:● Admin API privileges:Users > ReadDomain Management● Admin console privileges:Drive and Docs > SettingsReportsData Classification > Manage Labels
Confidence Platform for Google	Policy Enforcement	● Super Admin, or the following privileges:● Admin API privileges:Users > ReadDomain Management● Admin console privileges:Drive and Docs > SettingsReportsData Classification > Manage Labels
Confidence Platform for Google	Information management	● Admin API privilegesUsers > ReadGroup > ReadDomain ManagementReports● Admin console privileges:Drive and Docs > SettingsData Classification > Manage Labels
Opus	All features for Google Workspace	Super Admin, or the following privileges assigned to a custom role: Admin API privileges: Users > ReadDomain ManagementAdmin console privileges:Drive and Docs > SettingsReportsData Classification > Manage Labels

#Manage Admin Roles and Privileges

Refer to the instructions below to manage roles and privileges for an Admin account:

*Note: The user must have the Super Admin role to manage roles and privileges.

1. Go to the Google .

2. Click Manage in the Users section.

3. Click the user you want to assign the roles. The user details page appears.

4. In the Admin roles and privileges section, click the Expand button.

5. If you want to assign a pre-built role such as Super Admin or User Management Admin to the account, toggle the switch to Assigned in the Assigned state column.

   

6. Click SAVE.

7. If you want to create a custom role with required privileges, click CREATE CUSTOM ROLE.

8. Click Create new role.

   ![Clicking "Create new role".](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-google-tenants/images/image63.png "Clicking "Create new role".")

9. The Create role page appears. Enter a role name and click CONTINUE.

   ![The "Create role" page.](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-google-tenants/images/image64.png "The "Create role" page.")

10. In the Select Privileges section, select required privileges by referring to the Admin account table above.

11. Click CONTINUE.

12. Click CREATE ROLE. The custom role is successfully created.

13. You can assign the custom role to the Admin account.