Troubleshoot: Google Workspace Integration

After a user changes their password and is logged out of their Google session, 2-Step Verification only asks for a backup code when trying to log back in.

Cause: The users do not have a secondary/additional form of MFA.

Resolution: Ensure users have a secondary/additional form of MFA, like Authenticator (TOTP) or 2-Step Phone verification phone.

I made group membership changes and then bound the group to the Google Directory – the removed users are now suspended.

Cause: When users are removed and the directory is added in the same save action, the group members are synced in the group's original state and then the removed users are updated to indicate they no longer have access.

Resolution: The correct steps are:

  1. Remove users from the group
  2. Save the group
  3. Add the directory to the group
  4. Save the group
500 Error when attempting to import Google Workspace Users

When using the Google Apps User Provisioning and Synch utility, administrators occasionally receive a 500 Error during the import process. This occurs after an admin has successfully established an OAuth connection and attempts to import users.

Cause:

The most prevalent cause of this is the Google Apps account itself not having API Access enabled under admin.google.com > Security > API Reference > API access.

Resolution:

We recommend that you enable the API access setting and re-attempt to import users. 

A JumpCloud user bound to Google Workspace does not synchronize as expected.
  • If provisioning from JumpCloud to Google, the user might not show up in the Google Apps Admin Console.
  • Previously provisioned users don’t synchronize new passwords when reset in JumpCloud.

Cause:
The username and/or password doesn't comply with Google's name and password guidelines. 

Resolution:
Make sure the Gmail username and password comply with Google's guidelines.

If the above resolutions don't solve the issue, contact your JumpCloud administrator to verify your account status and assist in troubleshooting. If signing up for service, please submit a support request and confirm the email address being used in the form.

Alternate Resolution:

Add JumpCloud as a Trusted Third-Party application.

New JumpCloud users don’t appear in Google Workspace

When a new user is created in JumpCloud, their account is not synchronized to and does not appear in Google Workspace list of users. Existing users will synchronize without issue.

Cause:

The Google Workspace instance has run out of available license seats.

Resolution:

Increase the number of seats in your Google Workspace instance.

“Error 400: admin_policy_enforced”

When you attempt to authorize the Google Workspace Directory integration using a Super Administrator account, you can receive an “Error 400: admin_policy_enforced” error message.

There are three common causes for the "Error 400: admin_policy_enforced" message:

Cause 1:

API Access is Restricted. 

To fix this and Enable API Access: 

  1. Log in to the Google Workspace Admin Console.
  2. Go to Security > API Controls > Manage Google Services
  3. FindGoogle Workspace Admin and select Change Access
  4. Select Unrestricted: Any user-approved app can access a service to enable API Access

Cause 2:

One of the systems is disabled.

To fix this and enable systems:  

  1. Log in to the Google Workspace Admin Console.
  2. Go to Security  > API Permissions.
  3. Enable any disabled systems:

Cause 3:

URL Blocking is blocking necessary URLs like the GAM client_id.

To fix this and unblock necessary URLs:  

  1. Log in to the Google Workspace Admin Console. 
  2. Go to Devices > Chrome Settings > User Settings.
  3. Confirm that necessary URLs aren’t blocked.
I am trying to specify a distribution group, but I cannot add an email address.

Ensure that Enable management of groups and memberships in Google Workspace is enabled. Once it is enabled, click Save. You should see the Distribution Group Email column.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case