# Google Workspace > Configure Google Workspace with Applivery MDM — set up OAuth 2.0 credentials for seamless Device Management and SSO integration. Source: https://docs.applivery.com/en/device-management/integrations/sso/google-workspace/ • Last updated: 2026-05-25 **Key topics:** Google Cloud Platform setup, OAuth 2.0 configuration, Applivery MDM integration, API access, Google Workspace, Applivery, Google Cloud Platform, OAuth 2.0, Admin SDK API --- **TL;DR:** Configure Google Workspace with Applivery MDM by setting up a Google Cloud Platform project, configuring OAuth 2.0 credentials, and enabling API access. :::warning This is a premium feature that might not be available in your current plan. Check the availability on our [pricing page](https://www.applivery.com/pricing/). ::: To configure it, make sure you have admin access to your organization’s Google Workspace. This way, you can either create a new project or get the permissions needed to set up OAuth 2.0 credentials for an existing project. Please follow the next steps carefully. ## Set up your Google Workspace **Create a new Google Cloud Platform (GCP) project** Log in to the Google Cloud Platform [console](https://console.cloud.google.com/). This is separate from your Google Workspace console. A Google Cloud project is required to enable Google Workspace APIs. Navigate to **IAM & Admin** > **Create Project**. Name the project and select **Create**. Then, navigate to **APIs & Services** and click on **\+ Enable APIs and Services**. This action will load the API Library. Once in the library, search for `admin`, choose the **Admin SDK API** and proceed to **enable** it. Return to the **APIs & Services** page and go to **Credentials**. You will see a warning that you need to configure a consent screen. Select **Configure Consent Screen.** Verify the project name listed in the upper left corner near the logo to make sure that you are using the correct project. ![Credentials | Applivery](https://www.applivery.com/wp-content/uploads/2023/09/Credentials-1024x432.png "Credentials | Applivery") **Configure the consent screen** Select **Internal** as the User Type. This choice restricts authorization requests to users within your Google Workspace, preventing access for individuals with standard Gmail addresses. Provide a name for the application, include a support email, and fill in the contact fields. Keep in mind that the Google Cloud Platform requires an email in your account. You can leave the **Scopes** page empty. Once the summary page loads, save your settings and exit. **Configure the credentials** Return to the **Credentials** page and select **\+ Create Credentials** > **OAuth client ID**. ![68747470733a2f2f6465762d646f63732e636c6f7564666c6172656163636573732e6f72672f6163636573732f7374617469632f636c6f7564666c6172652d6f6e652f6964656e746974792f6773756974652f6372656174652d6f617574682e706e67 | Applivery](https://www.applivery.com/wp-content/uploads/2023/09/68747470733a2f2f6465762d646f63732e636c6f7564666c6172656163636573732e6f72672f6163636573732f7374617469632f636c6f7564666c6172652d6f6e652f6964656e746974792f6773756974652f6372656174652d6f617574682e706e67-1024x392.png "68747470733a2f2f6465762d646f63732e636c6f7564666c6172656163636573732e6f72672f6163636573732f7374617469632f636c6f7564666c6172652d6f6e652f6964656e746974792f6773756974652f6372656174652d6f617574682e706e67 | Applivery") Choose **Web application** as the Application type. For the **Authorized redirect URIs** box, input: `https://mdm-portal.applivery.io/login/`. Google will provide the **OAuth Client ID and Secret** values. Remember that the secret field functions as a password and should be kept confidential. Copy both values. On your [Google Admin console](https://admin.google.com/), go to **Security** > **Access and data control** > **API controls**, open the Settings menu, and enable the **Trust internal, domain-owned Apps** option. ![Untitled | Applivery](https://www.applivery.com/wp-content/uploads/2023/09/Untitled-1024x432.jpg "Untitled | Applivery") ## Get the Service Provider information from Applivery Once in the [**Applivery Dashboard**](https://dashboard.applivery.io/), go to your **Workspace Settings** 1 from the top dropdown menu, then open **Login providers** 2 in the left-hand menu and click the **Google Workspace** option under the **MDM Portal** section 3. ![google Workspace login provider](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/2d3b3e80-afde-4dab-9bb6-e1f8808c6892.png) You will see your Google Workspace configuration, where you will need to input the **Client ID** and **Client Secret** fields. ![google Workspace](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/10cdb784-b181-4b68-af61-dc4125b31719.png) ## Troubleshooting ### Error 5137: Could not retrieve user groups (`invalid_grant`) When a user tries to enroll a device through the MDM Portal, they may see the following error: ``` 5137: {"reason":"Could not retrieve user groups","err":"invalid_grant"} ``` This error means that Applivery's authorization to read Google Workspace groups has expired or been revoked. To fix it, you need to reauthorize Applivery from the Dashboard: **Open your Workspace Settings** Once in the [**Applivery Dashboard**](https://dashboard.applivery.io/), click the top-right dropdown menu and go to **Workspace Settings**. **Reauthorize Applivery** In the left-hand menu, go to **Login providers** and click **Configure** next to the **Google Workspace** option under the **MDM Portal** section. Under **Step 2**, **reauthorize** to grant Applivery permission to obtain groups again. ![reauthorize](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/8ece9115-1122-40a4-9aa2-d8f837f1958b.png) Once the reauthorization is complete, the enrollment flow should work without errors.