Troubleshoot: Google Workspace Integration

Cause: New granular OAuth permission checks were released by Google in February 2026.

Resolution: Add JumpCloud as a 3rd party app in Google and mark it as "Trusted".

1. Open the Google Admin console.
2. Select Security > Access and data control > API controls.
3. Click Manage app access.
4. Select Configure new app,
5. Enter 'JumpCloud' in the Search for app field, then click Search.
6. Select JumpCloud, define the scope, and then click Continue.
7. Select Trusted.
8. Click Continue again and then click Finish.
9. If successful, you will receive a message saying JumpCloud is now trusted to access all Google services.

Cause: The users do not have a secondary/additional form of MFA.

Resolution: Ensure users have a secondary/additional form of MFA, like Authenticator (TOTP) or 2-Step Phone verification phone.

Cause: When users are removed and the directory is added in the same save action, the group members are synced in the group's original state and then the removed users are updated to indicate they no longer have access.

Resolution: The change in membership and then adding the directory must be completed in two separate steps. Remove the user(s) and save the group. Then, add the directory and save the group again.

When using the Google Apps User Provisioning and Sync utility, administrators occasionally receive a 500 Error during the import process. This occurs after an admin has successfully established an OAuth connection and attempts to import users.

Cause:

The most prevalent cause of this is the Google Apps account itself not having API Access enabled under admin.google.com > Security > API Reference > API access.

Resolution:

We recommend that you enable the API access setting and re-attempt to import users. 

Cause: This might happen due to the broken connection between GWS and Jumpcloud integration.

Resolution: To resolve the issue we have Reactivate the Sync. This will fix the connection again and the users will get imported to Jumpcloud Successfully.

Below are the steps to reactivate the GWS sync in Jumpcloud admin console.

1. Log in to the JumpCloud Admin Portal.
2. Navigate to INTEGRATIONS > Cloud Directories.
3. Select the Google Workspace directory for which you want to reactivate sync and click reactivate sync.
4. Follow Google’s prompts to authorize JumpCloud.

Double-check the filter with these examples of advanced filters.

This can be a timing issue. Try to import the updates again by doing a manual full sync or update only sync or wait for the next automatic import to run. 

• If provisioning from JumpCloud to Google, the user might not show up in the Google Apps Admin Console.
• Previously provisioned users don’t synchronize new passwords when reset in JumpCloud.

Cause:
The username and/or password doesn't comply with Google's name and password guidelines. 

Resolution:
Make sure the Gmail username and password comply with Google's guidelines.

If the above resolutions don't solve the issue, contact your JumpCloud administrator to verify your account status and assist in troubleshooting. If signing up for service, please submit a support request and confirm the email address being used in the form.

Alternate Resolution:

Add JumpCloud as a Trusted Third-Party application.

• Verify that the password attribute is set to Export in the Attribute Mappings and Settings section of the configuration.
• Check if the user is a super admin.
  • If yes, verify that the account used to authorize the integration was a super admin. If not or if you are unsure, reactivate the integration with an account that is a super admin account. 
  • If the user is not a super admin, consult the DI events and the Google audit logs.

When a new user is created in JumpCloud, their account is not synchronized to and does not appear in Google Workspace list of users. Existing users will synchronize without issue.

Cause:

The Google Workspace instance has run out of available license seats.

Resolution:

Increase the number of seats in your Google Workspace instance.

Cause: This issue occurs because the integration automatically sets the user’s JumpCloud username to the prefix of their Google email address (the part before the @ symbol) during import. This prefix already exists as a Username or Local User Account for an existing user in your JumpCloud organization.

Resolution: There are a few options for resolving this issue.

• Create a matching JumpCloud account:  Manually create the user in JumpCloud with just their Google email address and a unique username. Then, use the Google Workspace Cloud Directory manual import functionality to update the user record with the rest of the user information from Google. You can use an import filter to limit the update to just that user, if needed. See Using the Google Workspace Integration to learn more.
• Update the email address in Google: Change the prefix to something unique and not used in JumpCloud. Note that this may have impacts on the end-user.
• Update the JumpCloud username: Change the existing JumpCloud username or Local User Account to avoid conflicts. This requires disconnecting the user from all resources and may cause service disruptions.

When you attempt to authorize the Google Workspace Directory integration using a Super Administrator account, you can receive an “Error 400: admin_policy_enforced” error message.

There are three common causes for the "Error 400: admin_policy_enforced" message:

Cause 1:

API Access is Restricted. 

To fix this and Enable API Access: 

1. Log in to the Google Workspace Admin Console.
2. Go to Security > API Controls > Manage Google Services
3. FindGoogle Workspace Admin and select Change Access
4. Select Unrestricted: Any user-approved app can access a service to enable API Access

Cause 2:

One of the systems is disabled.

To fix this and enable systems:  

1. Log in to the Google Workspace Admin Console.
2. Go to Security  > API Permissions.
3. Enable any disabled systems:

Cause 3:

URL Blocking is blocking necessary URLs like the GAM client_id.

To fix this and unblock necessary URLs:  

1. Log in to the Google Workspace Admin Console. 
2. Go to Devices > Chrome Settings > User Settings.
3. Confirm that necessary URLs aren't blocked.

Cause: LastName is missing.

Resolution: Verify the user has a valid Last Name.

Ensure that Enable management of groups and memberships in Google Workspace is enabled. Once it is enabled, click Save. You should see the Distribution Group Email column.

Cause: There are pre-existing restrictions or security measures that prevent access

Resolution: Use the following steps to resolve this issue:

1. Navigate to the Google Workspace Admin dashboard.
2. In the top search bar, search for and select API Controls.
3. Under App access control, click MANAGE THIRD-PARTY APP ACCESS.
4. Search for the name "JumpCloud" or the matching ID and click Change Access.
5. Select Trusted and then click Continue.
6. Once this done, admins would be able to successfully add domain to Google Workspace in JumpCloud.

Cause: The account used to create the integration does not have sufficient privileges

Resolution: An account with super admin privileges is required by Google to sync admin user passwords and user attributes .

Cause: This issue is a security measure from Google's end, often triggered when a large number of user accounts are created at once.

Resolution: Ensure JumpCloud is listed as a trusted application in Google Workspace. This tells Google that the provisioning activity is legitimate and not a security threat.

Add JumpCloud as a trusted application in GWS

1. Log in to your Google Workspace Admin Console.
2. In the left-hand navigation menu, go to Security > Access and data control > API controls.
3. Under App access control, click on MANAGE THIRD-PARTY APP ACCESS.
4. At the top of the page, click on Configure new app.
5. Select OAuth App Name Or Client ID.
6. Search for JumpCloud and select the correct application from the search results.
7. Click SELECT.
8. Under the Select Access section, choose Trusted: Can access all Google services.
9. Click CONFIGURE to save your changes.

If the suspension persists even after JumpCloud is configured as a trusted application, the issue is likely due to an internal security policy on the Google Workspace side. In this case, you will need to contact Google Workspace Support for assistance.

For more information, refer to Google's Restore a suspended user article.

Customers may report the following:

• Unable to log in to JumpCloud using their Google Workspace password
• Expectation that Google and JumpCloud passwords should match
• Confusion around SSO versus directory sync
• Belief that password sync is broken or misconfigured

Cause: If you have only connected Google Workspace as a directory integration, JumpCloud does not use Google passwords for authentication. JumpCloud never pulls or stores Google Workspace passwords.

Resolution: To use Google credentials for login, Google Workspace must be configured as an Identity Provider (IdP) in JumpCloud. Until that is done, users must continue using their JumpCloud password.