Add, edit, or remove an external directory

This page is for Directory Sync. If you’re using Google Cloud Directory Sync (GCDS), go to GCDS. Directory Sync is currently in public beta.

Now you need to connect your external directory using Directory Sync in the Google Admin console. Later, you can add other external directories and connect to multiple directories at once.

You can set up multiple directory configurations, but they must point to separate Microsoft Active Directory (AD) or Microsoft Azure Active Directory (Azure AD) servers. You can’t point more than one directory configuration to a single external directory server.

Add an external directory

Expand section  |  Collapse all & go to top

Add an Azure AD directory

Before you begin

  • Make sure you meet the system requirements. For details, go to System requirements.
  • Enable pop-ups originating from admin.google.com/ac/sync.

Add the directory

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenDirectory sync.

    This action creates a service account. For more information, go to What happens when I add an external directory for the first time?

  3. Click Add Azure Active Directoryand thenContinue.
  4. For Directory name, enter a name for your directory and, optionally, add a description.
  5. Click Authorize and Save.
  6. Enter your Microsoft credentials.

    The credentials must have access to read users and groups.

  7. Check the Consent on behalf of your organization boxand thenclick Accept.
  8. If you get a Connection successful message, click Continue.
  9. If you get a Connection unsuccessful message, click Retry.
    1. Click your newly created directory and ensure that you allowed pop-ups originating from admin.google.com/ac/sync.
    2. Review the reasons for failure and troubleshoot a failed connection (below on this page).
    3. Correct any issues and try to connect again.

Before you begin

Add the directory 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenDirectory sync.

    This action creates a service account. For more information, go to What happens when I add an external directory for the first time?

  3. Click Add Active Directoryand thenContinue.
  4. For Directory name, enter a name for your directory and, optionally, add a description.
  5. Click Continue.
  6. For Project ID, enter the ID from the Google Cloud project where you created the VPC access connector.
  7. For VPC access connector name, enter the name of the VPC access connector that you set up in Google Cloud. Use the following format:

    projects/project id/locations/VPC location/connectors/VPC connector name

    To find the values for VPC location and VPC connector name, in your Google Cloud project, click VPC networkand thenServerless VPC access and find your VPC access connector. Go to Name for the VPC connector name. Go to Region for the VPC location.

  8. Click Continue.
  9. For Active Directory server details, enter:
    • Host—IP address or fully qualified domain name of your AD server.
    • Port—636.
    • Connection type—Select your connection type.
    • Base DN—Base distinguished name (DN) in AD. The base DN is used as the root for all searches. You can change this later when you set up your sync.

      Example: ou=Sales, dc=example, dc=com

    • DNS server—DNS server that can resolve your AD host name.
    • Authorized account and Password—The username and password of an account that has read access to your AD server (usually a service account).
    • Certificate—TLS client certificate. Click Attach certificate, navigate to your certificate, and confirm.
  10. Click Save and Test Connection.

    This process might take up to a minute. If you close the window before the test is complete, you can check the results in the Admin audit log. If the test fails, you're prompted to re-enter your directory information.

  11. Click Continue or troubleshoot a failed connection (below on this page).

Troubleshoot a failed connection

If your connection fails, you can view information about the cause of the failure on the connection status page. For additional connection troubleshooting information, go to Check log events for Directory Sync.

Edit a directory

  1. Click the name of the external directory that you want to edit.
  2. Next to Sync status, click Turn off  to deactivate the sync.
  3. Update the details of the selected directory.
  4. Click Save and Test Connection.
  5. Reactivate sync, if needed.

Remove a directory

Important: Make sure that you have retained any information you need from the external directory before you remove it. When you remove an external directory, the connection and sync setup is deleted. Any data that was synced to your Google cloud directory is retained.

  1. On the directory details page, next to Sync status, click Turn off .
  2. Click Delete and thenDelete.

Reauthorize an Azure AD connection

You can reauthorize the Azure AD connection and renew the authentication token.

  1. Click the name of the external directory that you want to reauthorize.
  2. For Sync status, click Turn off  to deactivate the sync.
  3. Click Reauthorize.
  4. Enter your Microsoft credentials.
  5. Check the Consent on behalf of your organization boxand thenAccept.
  6. Reactivate sync, if needed.

Related topics

Admin log events

Next step

Set up user sync


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
10390475761365642571
true
Search Help Center
true
true
true
true
true
73010
false
false