Provisioning Gmail

This section describes how to provision Gmail. "Provisioning" means both creating a service account and the process by which Cloud App Security is granted the ability to access your Gmail environment.

Cloud App Security provisions the service account for Gmail through the OAuth 2.0 flow.


Cloud App Security allows only administrators assigned to the default Global administrator role to provision service accounts. For details about Cloud App Security role-based access control, see Administrator and Role.

Provisioning a Gmail Service Account

Provision a service account for Gmail to allow Cloud App Security to run advanced threat protection and data loss prevention scanning on email messages in protected Gmail mailboxes.

The steps outlined below detail how to provision a service account for Gmail from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Hover over Gmail and click Provision.

    The Provision Service Account for Gmail screen appears.

  3. Click Click here in Step 1.

    The Trend Micro Cloud App Security application screen in the Google Workspace Marketplace appears.

    • If the Cloud App Security application is not installed:

      1. Click Admin install.

        A new window appears for you to sign in to Google.

      2. Specify your Google Super Admin credentials, and click Next and then CONTINUE.

        An authorization screen appears.

      3. Choose who to install the app for.

        Trend Micro recommends you select Everyone at your organization.

      4. Select I agree to the application's Terms of Service, Privacy Policy, and Google Workspace Marketplace's Terms of Service and click Finish to start installation.

        The application is successfully installed.

    • If the Cloud App Security application is already installed:

      1. Log on to as a Google Super Admin.

      2. Go to Apps > Google Workspace Marketplace apps > Apps list and click Trend Micro Cloud App Security.

      3. Click Grant access in the Data Access section.

        Granted appears on the screen.

  4. Go back to the Cloud App Security management console as instructed and click Click here in Step 2.
  5. In the new window that appears, click your Google Super Admin account.
  6. Go back to the Cloud App Security management console as instructed and click Done.

    Cloud App Security then synchronizes your Gmail user and group information. The time required depends on how many users and groups you have in Gmail.

  7. Hover over the ring icon in the upper-right corner of the management console.

    If the message "Gmail protected." appears on the Notifications screen, the provisioning is successful.

If for some reason the access token becomes invalid, a notification appears on Dashboard. Cloud App Security also sends an email message to notify the administrator of this event. To continue using the service account, go to Administration > Service Account to create a new access token. For more information, see Service Account.