🛡️
Domain-Wide Delegation Setup Guide

Get Admin Genie auditing your entire domain in about 10 minutes — no IT ticket, no PhD required. Just work through each step below and your genie will be granting wishes across every user's Drive.

+ 1 Open Google Cloud Console & Select Your Project

Head over to console.cloud.google.com. In the top navigation bar, click the project dropdown and select the GCP project associated with your Drive Audit Genie setup.

If you don't have a project yet, click New Project, give it a name (something descriptive like drive-audit-genie), and click Create.

💡 Already have a project? Great — just make sure you're in the right one. The project name appears in the blue bar at the top. It's easy to end up in the wrong project and wonder why nothing works. (We've all been there.)
+ 2 Enable the Required APIs

Drive Audit Genie needs two Google APIs enabled in your project. In the left sidebar, go to APIs & ServicesLibrary and enable both of the following:

  1. Admin SDK API — search “Admin SDK”, click it, then click Enable.
  2. Google Drive API — search “Google Drive API”, click it, then click Enable.
✔️ If an API already shows as Manage instead of Enable, it's already on — you're ahead of schedule. Gold star.
+ 3 Create a Service Account

In the left sidebar go to IAM & AdminService Accounts, then click + Create Service Account at the top.

  1. Service account name: Something like dag-domain-auditor
  2. Description: Optional — but “Drive Audit Genie Domain-Wide Access” is a crowd-pleaser at security reviews.
  3. Click Create and Continue.
  4. On the Grant this service account access to project step — skip it (click Continue).
  5. On the Grant users access step — skip it too (click Done).

You'll land back on the Service Accounts list and see your new account listed. Leave this tab open — you'll need it in Steps 4 and 5.

+ 4 Enable Domain-Wide Delegation on the Service Account

Click the email address of the service account you just created to open its detail page. Then:

  1. Click the Edit (pencil) icon at the top.
  2. Expand the section called Show advanced settings.
  3. Check the box labeled Enable Google Workspace Domain-wide Delegation.
  4. In the Product name for the consent screen field, enter: Drive Audit Genie
  5. Click Save.
⚠️ Don't skip the product name. Google requires it. It can be anything — “My Audit Tool”, “SkyNet”, your cat's name — but it must be filled in or the save will silently fail.
+ 5 Download the JSON Key File

Still on the Service Account detail page, click the Keys tab at the top of the page. Then:

  1. Click Add KeyCreate new key.
  2. Choose JSON (it should already be selected).
  3. Click Create.

A .json file will download to your computer automatically. Keep this file safe — it's the golden ticket that lets Drive Audit Genie speak on behalf of your domain.

🔒 Treat this file like a password. Do not email it, share it on Slack, commit it to GitHub, or leave it in your Downloads folder until 2031. Anyone who has it can read your users' Drive files. You've been warned (with love).
+ 6 Find Your Client ID from the JSON File

Open the JSON file you just downloaded in any text editor (Notepad, TextEdit, VS Code — anything works). Look for the field named “client_id”. It will be a long number that looks something like this:

“client_id”: “103456789012345678901”

Copy that number — you'll paste it in Step 8.

🚨 This is NOT the same as the “Unique ID” shown in the GCP Console. The GCP Console shows a different number in the IAM section. They look similar, both are long numbers, and using the wrong one is the #1 cause of DWD failures. Use the client_id from the JSON file. Full stop.
+ 7 Open the Google Admin Console

In a new tab, go to admin.google.com. Sign in as a Super Administrator for your Google Workspace domain.

Navigate to:

SecurityAccess and data controlAPI controlsManage Domain Wide Delegation

👤 Don't see these menus? You must be logged in as a Super Admin — not just any admin. If you're not sure, check with whoever set up your Google Workspace account. (Hint: it's usually whoever also knows the WiFi password and where the extra staples are.)
+ 8 Add the API Client & Authorize Scopes

On the Domain-Wide Delegation page, click Add new. You'll see two fields:

  1. Client ID: Paste the client_id number you copied in Step 6.
  2. OAuth Scopes: Copy the entire line below (all three scopes as one comma-separated string) and paste it into the scopes field. Do not add spaces or line breaks.
https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly

After pasting, click Authorize. Your service account will appear in the list with the three scopes shown.

⚠️ Paste all three scopes as a single comma-separated string — do not press Enter between them. If Google splits your scopes into separate boxes, delete them and re-add everything as one line. Google's UI can be quirky about this.
+ 9 Upload Your Key to Drive Audit Genie & Verify

You're in the home stretch! Back in your Google Workspace sidebar (Drive Audit Genie add-on):

  1. Open Drive Audit Genie and navigate to the 👑 Admin Genie section.
  2. Click Setup Domain Delegation.
  3. Paste the full contents of your JSON key file into the field provided — or use the upload button if available.
  4. Click Verify Connection.

Drive Audit Genie will test the credentials and confirm your domain is connected. If verification succeeds, the Admin Genie card will update to show your domain name and user count. Your genie is officially out of the bottle. 👑

🕐 Heads up on timing: Google's DWD permissions can take a few minutes to propagate after Step 8. If you get a permissions error immediately after setting it up, wait 2–3 minutes and try again. Google moves at its own pace — even when you're in a hurry.
🎉

You Did It — Domain-Wide Audit Access Is Live!

Admin Genie can now audit every user's Drive across your entire organization — no individual user permissions needed, no IT ticket, no conference call with somebody named Brent from IT who keeps putting you on hold.

Head back to the add-on, kick off your first domain-wide audit, and let the genie do the work. That's what he's there for.