Skip to main content

What can we help you with?

Google Workspace Directory Sync

This article explains how to integrate Google Workspace Directory with Personio. With this integration, Personio can automatically create Google Accounts for new employees, update Google Account details when employee details change in Personio, and automatically deactivate Google Accounts of inactive employees.

Pre-requisites for a successful integration

Before beginning the integration process, ensure the following is in place:

  • You have an admin role or editing rights for Marketplace Integration and API in Personio via Settings > People > Employee Roles > Access rights > Account configuration > Marketplace Integration and API.
  • You have a Google Workspace super administrator account.
  • You have the necessary rights to create a Google Cloud project and a Google service account.

Connect and authenticate Google Workspace Directory Sync

Before you can begin the setup process in Personio, you must set up and authorize a Google service account. A service account credential ensures the Google Directory Sync integration can run reliably and securely.

  1. Go to Google Cloud and create a Google Cloud project as a super administrator. When setting up a project, it's best practice to assign at least one extra person as a Project Owner.
  2. Activate the Admin SDK API for the Google Cloud project to enable the service account to perform administrative directory tasks.
  3. Set up the OAuth consent screen. Mark the app as Internal to restrict its usage and avoid Google needing to review it.
  4. Create your service account.
  5. Create and download the service account key in JSON format.
  6. Visit admin.google.com and grant the service account User Management Admin access. This allows it to perform user administrative tasks.

Once you have completed these tasks, set up the integration directly in Personio's Marketplace with the Configuration Wizard. Follow these steps:

  1. Go to Marketplace in Personio.
  2. Search for and select the Google Workplace Directory Sync integration.
  3. Click Connect to open the Configuration Wizard.
  4. Enter your Primary Domain and Service account key.
  5. Click Next.

Existing accounts

Step two of the Configuration Wizard allows you to set up data synchronization for existing Google accounts. Follow these steps:

  1. Select Sync employee data to existing Google Accounts if you want to keep employee information up to date in your Google directory.
  2. Review all the information. Ensure that each Google Directory Field matches the corresponding Personio attribute.
  3. Optional: Click Add new attribute to include more attributes.
  4. Click Next to go to step three of the Configuration Wizard to configure new accounts.

This integration cannot deactivate or change administrator accounts.

New accounts

Step three of the Configuration Wizard allows you to configure new Google Accounts. Follow these steps:

  1. Select Create new Google Accounts if you want Personio to create new Google Accounts for employees with empty email addresses or who don’t match a Google Account in your directory.
  2. Optional: Choose to define the email address manually and provide the value in a Personio custom attribute.
  3. If you don’t pre-assign email addresses, configure the format of automatically generated email addresses.
  4. Click Next to go to step three of the Configuration Wizard to configure deactivations.

Deactivations

The last step of the Configuration Wizard allows you to configure deactivations. Follow these steps:

  1. Select Deactivate Google Accounts when employees become inactive if you want to deactivate linked Google Accounts when the employee status changes to inactive.
  2. Click Finish.

The integration setup is complete

This integration cannot deactivate or change administrator accounts.

Google Workspace Directory workflows

Once the integration is complete, Personio will try to match all active employees to Google Accounts based on their email addresses. The integration will only match employees in active status.

When there is a match, the integration creates an entry in the Google Directory. It uses the externalIDs field containing the matching Personio employee ID.

Following the initial sync, the integration runs every 30 minutes. It gives priority to employee ID to ensure the integration can keep working even if the employee’s email address changes.

Inactive employees

Inactive accounts will continue to be updated. Customers can prevent this by removing the externalIDs link in Google Directory. This stops the connection, and the integration won’t try to recreate inactive users.

Note: Only non-admin accounts can be managed by this integration.

User Provisioning

You can automatically create new accounts for active Personio employees not previously linked to Google Directory with the following options:

  • Pre-assign email addresses

Specify a field containing the desired email address. The attribute must be a full email address, including the domain. If the field contents aren't in email format or Google Directory doesn’t support the domain, the integration won’t create an account. If the field is blank, the email address will be automatically generated. You can pre-assign email addresses on a selective basis.

  • Automatically generate email addresses

If you choose not to pre-assign email addresses or leave the attribute field blank, the integration will attempt to create the email address according to the formula you specify. In case there is a naming conflict, the integration will add the employee ID to the username, which can be changed later.

The attribute must be a full email address, including the domain. If the field’s contents aren’t in email format, no account will be created for the user. Also, if the email address domain doesn’t belong to your Google Directory, no account will be created.

User deprovisioning

The integration disables the Google Account of inactive Personio employees. It doesn’t delete the account. Disabling inactive employees in Google can take up to 30 minutes. If you need to terminate access to Google immediately, coordinate with your IT admin to disable the Google Account.

This integration cannot deactivate or change administrator accounts. This is a protective measure put in place by Google. It ensures your organization always has control over critical admin access and privileges, even when syncing with an external directory service. Regular user accounts can still be fully managed via the directory sync process.

Help us improve. Is this page helpful?