Google Workspace
Google Workspace offboarding and admin access monitoring
Continuous visibility into your Google Workspace users, admin roles, third-party app access, and the accounts that should have been suspended when people left.
Google Workspace is the front door to almost everything else your company uses. The same identity unlocks email, documents, and — through single sign-on — a long tail of other SaaS tools. That makes Workspace access the highest-leverage access you grant, and also the hardest to keep an honest picture of. Admin roles, group memberships, shared drives, third-party apps users have authorized, devices, and domain settings each live on their own screen in the Admin console, and none of them tell you the one thing you actually need: is this account's access correct, right now?
The Admin console is built for making changes, not for reviewing them. Answering "who can administer our domain?" or "which accounts have no 2-Step Verification?" or "what third-party apps can read our company's data?" means stitching together separate reports, and the picture goes stale the moment you stop assembling it.
Outpost gives you that picture continuously. With read-only Directory access granted through Domain-Wide Delegation, Outpost inventories your tenant — every user with their admin status, 2-Step Verification state, suspension state, last login, and org unit, plus admin roles, groups, shared drives, the third-party apps each user authorized, devices, and domain aliases. Each becomes a searchable asset, kept current automatically, so your most important access surface is finally something you can actually see.
Catch Google Workspace access that outlives employment
Because Workspace is the identity behind so much else, a leaver whose account is never suspended is the single worst gap in an offboarding process. Their account can still receive email, still hold admin roles, still belong to sensitive groups and shared drives, and still — through SSO — reach every downstream tool that trusts Google. Suspension is one checkbox, but it's the checkbox everything else depends on, and it gets missed.
Outpost is built to catch that miss. It links each Workspace account to the person behind it and tracks suspension state, last login, admin roles, group and shared-drive access, and authorized third-party apps. When someone is marked as departed, their lingering Workspace access surfaces for review — so a still-active account, a leftover admin role, or a third-party app that still reaches your data doesn't sit unnoticed.
That turns the riskiest item on your offboarding checklist into something you can verify rather than hope. Instead of assuming every leaver was fully removed from the system that unlocks everything else, Outpost shows you the ones who weren't.
What Outpost detects
Everything we surface from your Google Workspace workspace.
Admin access and roles
Outpost syncs every user and flags who holds admin rights, plus the admin roles and role assignments configured across your tenant, so the accounts with the most control over your domain are never a mystery.
2-Step Verification gaps
For each user Outpost reads their 2-Step Verification state — whether it's enrolled and whether it's enforced — so accounts protected only by a password stand out instead of slipping through.
Third-party app access and devices
Outpost surfaces the third-party apps each user has authorized against your Workspace data, alongside groups, shared drives, org units, mobile and Chrome OS devices, and domain aliases.
Assets we track
Outpost creates and maintains these asset types from your Google Workspace data.
How it works
1
Connect
Grant Outpost's service account read-only Directory access through Domain-Wide Delegation in your Admin console. You paste one service-account ID and the scopes — Outpost can read your directory, never change it.
2
Discover
Outpost inventories your tenant — users, admin roles, groups, shared drives, third-party app tokens, devices, and domain configuration — and turns each into an asset you can search and review.
3
Monitor
Users and their posture — admin status, 2-Step Verification, suspension state, last login, org unit — are re-synced on a schedule so changes across your domain are tracked continuously.
4
Offboard
When an employee leaves, Outpost links their identity to their Workspace account and the access it still holds, so a leaver who was never suspended surfaces instead of staying live.
Frequently asked questions
Connect Google Workspace to Outpost and it inventories every user, flagging which accounts hold admin rights along with the admin roles and role assignments across your tenant. Instead of trusting the Admin console's scattered role pages, you get one searchable view of exactly who can administer your domain.
Suspending the account, ending its sessions, and removing its admin roles, group memberships, shared-drive access, and authorized third-party apps. Outpost tracks all of these per user and links each account to the person, so when someone leaves you can confirm — not assume — that their access was fully removed.
Outpost reads each user's 2-Step Verification state — whether it's enrolled and whether it's enforced — so accounts relying on a password alone are surfaced for review. That makes it straightforward to find the gaps before they become the way an attacker gets in.
See your entire Google Workspace footprint in one place
Join the waitlist for early access to Outpost's Google Workspace integration and every other tool in your stack.