Step 1. Create a new user in your Google Workspace instance, and make this user an administrator. This will be the account the FIM service uses to administrator the Google Workspace instance.

Step 2. Using that account, login to the Google Developers Console

Step 3. Create a new API project

Step 4. Give the API project an appropriate name

Step 5. When the project has been created, go to the APIs & Services page, and select Credentials. Create a new set of credentials of the service account key type

Step 6. Select the option to create a new service account, providing a service account name and ID, and assigning the 'service account user' role. Ensure that 'p12' is selected as the key type

Step 7. Save the resulting p12 file, noting the secret provided. This will be used by the management agent to authenticate to the Google APIs later

Step 8. Once the service account has been created, select the option to manage service accounts

Step 9. Click on the same of the service account to edit it

Step 10. Select the option to edit the service account, enable domain-wide delegation on the account, and provide a product name (this is not seen by end users)

Step 11. Return to the service accounts list, and from the list of service accounts, select the option to 'view client ID'

Step 12. Record the client ID provided, as well as the service account email address. These will be needed later in the configuration process.

Step 13. Click on 'library' on the API manager page, and search for the Admin SDK, Gmail, Group Settings, Google Calendar and Classroom APIs and enable them for use in your project

Step 14. Log into the google admin console. Select the security option

Step 15. Expand to the advance settings section, and select Manage API client access

Step 16. Add a new client by providing the client ID obtained in step 12, and the following string for the API scopes. You can either add all scopes, or choose only the [[specific scopes you need|Required-permissions-and-scopes]] based on the object types you want to manage.

https://www.googleapis.com/auth/admin.directory.domain.readonly,http://www.google.com/m8/feeds/contacts/,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/classroom.courses,https://www.googleapis.com/auth/classroom.rosters

Troubleshooting

It can take up to 24 hours for domain-wide delegation to take effect. Although in most cases, it takes 5-10 minutes. During this time you may receive an error when trying to create the MA, with an event log message that contains the text Client is unauthorized to retrieve access tokens using this method