Skip to content

Identity Integrations — Google Workspace & Microsoft 365

The Identity tab of the Breeze Integrations page is where you connect a customer’s directory to Breeze. It has two sub-tabs — Google Workspace and Microsoft 365. Microsoft 365 offers two separate connection methods: Customer Graph Read uses customer-administrator consent without asking you for a reusable secret, while Legacy direct accepts a tenant-specific app client secret for existing read and action workflows.

Open it at Integrations → Identity (/integrations#identity). The two sub-tabs deep-link to /integrations#google (Google Workspace) and /integrations#m365 (Microsoft 365).


There is one Google Workspace connection per organization. Microsoft 365 can have one Customer Graph Read connection and one separate legacy direct connection per organization. Connecting, re-consenting, retesting, or disconnecting requires organization write permission and current MFA where shown.

Google Workspace lives on the sub-tab at /integrations#google. Breeze authenticates as a Google Cloud service account that uses domain-wide delegation to impersonate a super-admin in the customer’s domain.

Field Description
Primary domain The customer’s domain, e.g. example.com
Super-admin email (impersonated) A super-admin account in the domain that the service account impersonates
Service-account JSON key The full service-account JSON key file, pasted into a masked field
  1. Set your scope to the customer organization, then open Integrations → Identity → Google Workspace.
  2. In the Google Cloud Console, open IAM & Admin → Service Accounts and create (or pick) a service account.
  3. On that service account, open the Keys tab and choose Add key → Create new key → JSON. The JSON downloads once — that file is what you paste into Breeze. Note the service account’s numeric Client ID (its unique ID); you will need it in the next step.
  4. Enable the APIs the identity tools use: Admin SDK, Gmail, Calendar, and Enterprise License Manager.
  5. In the Google Admin Console, go to Security → Access and data control → API controls → Manage domain-wide delegation. Add the service account’s Client ID and authorize the exact OAuth scopes Breeze shows in the walkthrough (copy them straight from the card).
  6. Back in Breeze, enter the Primary domain, the Super-admin email to impersonate, and paste the service-account JSON key.
  7. Click Save & Verify. Breeze makes a live Directory API call to confirm the key works and that domain-wide delegation is correctly authorized, then stores the connection.

The walkthrough card displays the exact comma-separated OAuth scope list to authorize. It covers directory user/group read and write, user security, aliases, mobile-device actions, Gmail settings (basic and sharing), Calendar ACLs, and Apps licensing — the scopes the Google identity tools actually call. Authorize the full list so every supported action works.


Disconnect from Breeze immediately revokes Breeze’s local connection, clears its executable tenant/grant state, and rejects delayed callbacks. It does not delete the Microsoft Enterprise application or remove tenant-wide admin consent.

To remove Microsoft consent separately, a customer Entra administrator must:

  1. First choose Disconnect from Breeze on the Customer Graph Read card and confirm the card shows Revoked.
  2. Open the Microsoft Entra admin center for the verified customer tenant.
  3. Go to Identity → Applications → Enterprise applications, find the dedicated Breeze Customer Graph Read application by its verified name and application ID, and open it. Do not modify an unrelated app registration.
  4. Use the Enterprise application’s delete/remove option to remove that tenant’s service principal and tenant-wide application consent. Microsoft labels can vary by portal version; verify the tenant and application before confirming.
  5. Confirm the Enterprise application is no longer present. If Breeze had not already been disconnected, a subsequent Retest would report an application verification failure; local status alone is not proof that Microsoft consent was removed.

Removing an individual permission is different from removing tenant-wide consent. In particular, removing only Application.Read.All prevents Breeze from authoritatively reading the current assignment set, so the card reports reconciliation unavailable and retains the prior list as last known.


Once a sub-tab shows Connected, technicians work with the directory through the in-app AI assistant rather than through this Integrations page. Read-only lookups (user details, group memberships, security posture, Microsoft 365 sign-in activity) run automatically; anything that changes an account is gated behind a human approval step with a mandatory reason and a full audit trail. The two providers are not at parity — Google Workspace exposes a much broader mutating action set than Microsoft 365.

For the complete list of what you can view and do — including guided offboarding, the security-drift report, and the read-vs-mutating tiers — see the Identity Console.


The Google Workspace or Microsoft 365 sub-tab shows “not enabled on this instance.” The connector is feature-flagged off. Ask your host operator to enable GOOGLE_WORKSPACE_ENABLED or M365_ENABLED on the API server, then reload the page.

The connection fails to save with a credentials error. Both providers verify credentials live before storing them. For Google Workspace, confirm the service-account JSON key is valid and that domain-wide delegation was authorized with the exact scopes shown on the card, using the service account’s numeric Client ID. For Microsoft 365, confirm the tenant ID and client ID are correct, the client secret Value (not the secret ID) was copied and has not expired, and admin consent has been granted for the required Graph permissions.

Customer Graph Read says an eligible administrator is required. Complete both Microsoft steps as a Global Administrator or Privileged Role Administrator in the customer tenant. Other directory roles fail closed even if Microsoft allows them to reach a consent screen.

Customer Graph Read is degraded. Review missing and unexpected grants on the card. Restore the exact nine-permission manifest, choose Re-consent, then Retest. If the card says reconciliation is unavailable, restore Application.Read.All first; the displayed observed list is last known, not a current assignment inventory.

Retest says the verification service is unavailable. This does not mean Microsoft consent was removed. Existing active state is preserved during a transient executor outage. Ask the Breeze operator to restore the private verification service, then Retest again.

Save is disabled. A fresh connection requires all fields. For Google Workspace: primary domain, super-admin email, and the service-account key. For Microsoft 365: tenant ID, client ID, and client secret. When updating an existing connection, the secret field may be left blank to keep the stored value.

I connected a tenant but AI identity actions still do not work. A verified connection is required in addition to the feature flag being on. Re-open the sub-tab and confirm the badge reads Connected. Also confirm the service account or app registration carries the write permissions and admin role required for the specific action (see the permissions tables above).


  • Identity Console — viewing identity posture and running AI-assisted identity actions once a tenant is connected
  • AI Assistant — how read and mutating actions, approvals, and the audit trail work
  • Integrations — the full Integrations page and its other tabs