Google Workspace Admin MCP server
Automate enterprise administration tasks across your Google Workspace domain with an AI agent. This MCP server lets you programmatically manage users, groups, organizational units, devices, and security settings—enabling AI to handle onboarding, policy enforcement, and compliance monitoring at scale.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
The Google Workspace Admin API uses OAuth 2.0 with domain-wide delegation. Set up your credentials in Google Cloud Console, then configure the MCP server with your Client ID and Client Secret. The authorization endpoint is https://accounts.google.com/o/oauth2/v2/auth and the token endpoint is https://oauth2.googleapis.com/token. Key OAuth scopes include https://www.googleapis.com/auth/admin.directory.user (user management), https://www.googleapis.com/auth/admin.directory.group (group administration), https://www.googleapis.com/auth/admin.directory.device.mobile (mobile device management), https://www.googleapis.com/auth/admin.directory.device.chromeos (Chrome device management), and https://www.googleapis.com/auth/admin.reports.audit.readonly (audit log access).
Available tools
These tools allow you to manage users, groups, organizational units, devices, and security configurations across your domain.
| Tool | Description |
|---|---|
| Create user | Create a new user account with name, email, and profile information |
| Update user | Modify user properties including profile, organizational unit, and account status |
| Suspend/delete user | Suspend or permanently delete a user account |
| List users | Retrieve all domain users with filtering options |
| Manage user passwords | Set or reset user passwords and password policies |
| Create group | Create a new distribution or security group |
| Manage group membership | Add or remove members from groups |
| List groups | Retrieve all groups or groups for a specific user |
| Create organizational unit | Create a new OU in the domain hierarchy |
| Move users to OU | Relocate users between organizational units |
| Manage devices | Wipe, lock, or approve mobile and Chrome devices |
| Configure security policies | Set 2FA requirements, password policies, and API access rules |
| View audit logs | Retrieve admin activities and security events |
| Generate usage reports | Obtain statistics on storage, active users, and adoption rates |
Tips
Use minimal required scopes to reduce security risk—request only the permissions you need for your automation tasks.
Implement domain-wide delegation with a service account rather than user credentials to ensure consistency and avoid single-user dependency.
Rotate service account keys periodically and monitor domain-wide delegation scopes in the admin console to catch unauthorized access attempts.
Use batch requests when managing bulk operations like user imports or device policies to stay within rate limits (2,400 queries per minute).
Test your automation in a non-production organizational unit before rolling out organization-wide to prevent unintended changes to active users.
Cequence AI Gateway