Google Workspaces directory integration

Email Security can integrate with Google to retrieve user and group information. This can be used to enforce the Business Email Compromise configuration to prevent user impersonation.

1. Create a service account in Google for Email Security Directory Integration

You need to authorize Email Security to make connections into your Google tenant to retrieve your directory details. Cloudflare recommends that you create a service account for this purpose. This account will require the following following privileges:

• View group subscriptions on your domain.
• View organization units on your domain.
• View groups on your domain.
• See info about users on your domain.

Start by creating a service account. If you already have one, you can skip this step.

1. Access your Google admin console ↗, and go to Account > Admin roles.

   

2. Select Create new role, and give it a descriptive name and description. When you are finished, select Continue.

3. In Admin console privileges, select the following privileges:

   • Organizational Units > Read
   • Users > Read
   • Directory Settings > Settings >Google Support Settings
   • Directory Sync > Manage Directory Sync Settings > Read Directory Sync Settings

   

4. When you specify Admin console privileges, you also grant the corresponding Admin API privileges. In any case, make sure the following privileges are selected for Admin API privileges:

   • Organizational Units > Read
   • Users > Read
   • Groups > Read

   

5. Select Continue.

6. Review your information and select Create Role.

2. Authorize Email Security for Directory Access with Google

1. Log in to the Email Security dashboard ↗, and select Settings (the gear icon).

2. Go to Directories, and select Add Directory to start the authorization process.

   

3. In the Add Directory configuration panel, enter the following details:

   • Directory Type: Open the drop-down menu and select Google.
   • Directory Name: Enter a string that represents the directory. This value will be referenced in the Business Email Compromise List configuration section. For example, Gmail.
   • Sync Frequency: Update the value to your preference.

   Select Authorize when you are done.

4. The Email Security dashboard will redirect you to a Google login page. Select or enter the appropriate account to initiate the authentication process.

5. Once authenticated, the system will show a dialog box with a list of the required permissions. Check all the checkboxes, and select Continue to authorize the change.

   

6. Upon authorization, you will be automatically redirected back to the Add Directory configuration panel. Select Save to complete the authorization process.

   

7. Once saved, your newly configured directory will appear in the configured directories table.

   

3. Configure the Business Email Compromise list

Now that Email Security (formerly Area 1) has been authorized to access and retrieve directory information, you will need to configure the Business Email Compromise list.

1. Log in to the Email Security (formerly Area 1) dashboard ↗, and select Settings (the gear icon).

2. Go to Email Configuration > Enhanced Detections > Business Email Compromise.

   

3. Open the drop-down menu and select the directory you have created in the previous step 3.

   

4. If the initial directory synchronization has completed, the page will refresh and list groups and users. If you do not see any information, wait a few minutes as the system completes processing the initial synchronization.

   

5. Select the arrow next to a group to expand it and show its members.

   

6. To protect an entire group, select the three-dots button next to it, and then select Protect. When you protect a group, all of its members will be automatically protected. The protection markers will turn green to indicate that protection is active.

   

7. You can also protect individual users. Select the three-dots button next to each user you want to protect, and then select Protect.

4. Configure secondary email address (if required)

When the Business Email Compromise list is configured, Email Security (formerly Area 1) will enforce the proper match of the sender’s display name and email address. Any variation from this strict requirement will raise a detection event. The reason of detection will be Protected Name <NAME> should not appear as <non-configured email address>.

In some instances, you may want to allow your protected users to send emails from an alternate email address (like their personal email address). To configure this alternate address, you will have to add it to their directory entry.

1. Log in to the Email Security (formerly Area 1) dashboard ↗, and select Settings (the gear icon).

2. Go to Email Configuration > Enhanced Detections > Business Email Compromise.

3. Search for the user you want to allow an alternate email address.

4. Select the three-dots button > Edit.

   

5. In Secondary Emails add the additional email addresses. Place each entry on a new line.

   

6. Select Save to finish.