Google Workspace as opposed to Gmail, is built for team collaboration and provides added customization, integration, security measures, and storage space that are essential for business users.

Permissions

admin.directory.rolemanagement.readonly user.organization.read

We require these scopes when connecting to Google Workspace

• View delegated admin roles for your domain.
  • To get the roles of users in their workspace which we show on the vendor access page.
• See info about users on your domain.
  • To be able to get list of users and user info.
• Manage data access permissions for users on your domain.
  • To get a list of apps for which users use their Google account to login -- this info is needed to populate the SSO column on vendor access page.

For the most up-to-date information regarding Permissions and Data pulled, visit the integration directly in Secureframe under Integrations > available integrations, search for the application in question, then click View Details and finally Permission and Data.

How MFA Status Is Displayed for Federated Applications

When using Google Workspace as a SAML identity provider (IdP) for third-party applications like GitLab, Secureframe attempts to infer the MFA status of those connected apps based on two conditions:

1. MFA must be enabled for the user's Google Workspace account.
   If the Google account itself does not have 2FA enabled, no apps (including GitLab) will show as having MFA enforced.

2. Google’s API must return the app under the expected name.
   Secureframe checks the list of connected apps returned by Google’s Admin SDK. For GitLab to appear with MFA enabled, it must be listed exactly as “Gitlab” in Google’s records. Variants (like lowercase, hyphenated, or domain-based app names) may prevent proper mapping.

🔍 If the expected app name is not returned or MFA is not active on the identity provider account, Secureframe will show “×” for 2FA, even if access is technically protected upstream.

Common Scenarios

Scenario	Will Secureframe Show MFA Enabled for GitLab?
Google Workspace user has 2FA enabled and GitLab is listed as “Gitlab”	✅ Yes
Google Workspace user has 2FA disabled	❌ No
GitLab not listed as “Gitlab” in Google’s app list	❌ No
GitLab has its own 2FA enabled directly in GitLab	✅ Yes (if GitLab account data is synced separately)