Set up user sync

1. Sign into yourGoogle Admin console.

   Sign in using youradministrator account(doesnotend in @gmail ).

2. In the Admin console, go to MenuDirectoryDirectory sync.
3. Click the name of your external directory.
4. ClickSet up user sync.
5. Enter the name of the external directory group and pressEnter.

   Directory Sync syncs the group members to your Google cloud directory.

   Note:Groups must have their own associated email address in the external directory.

6. Enter any additional group names.
7. (Active Directory only) ForBase DN,enter the base distinguished name (DN).

   The groups specified in steps 4 and 5 should be directly under the base DN.

   Example:ou=Sales, dc=example, dc=com.In this example, Directory Sync searches for groups under the Sales organizational unit.

8. ClickVerifyto check that the groups exist in your external directory.
9. ClickContinue.
10. If you want to map users to a single organizational unit, select the organizational unitDone.
11. (Optional) To ensure that the user remains in the organizational unit in your Google cloud directory if they're moved in the external directory, uncheck theEnforce organizational unit mappingbox.
12. ClickContinue.

1. Choose an option:
   • If you want to place users in a single organizational unit, clickSelect organizational unit,go to and select the organizational unitclickDone.
   • If you want to place users in an organizational unit that's defined in an attribute in your external directory, forPlace users in the OU stored as an attribute,enter the user attribute in your external directory that contains the full path to the organizational unit.

     For the steps to create the path, go toAdd an organizational unit as an attribute in your external directory(below on this page).

2. (Optional) To ensure that the user remains in the organizational unit in your Google cloud directory if they are moved in the external directory, uncheck theEnforce organizational unit mappingbox.
3. ClickContinue.

Add an organizational unit as an attribute in your external directory

1. Set up the organizational unit structure in your Google Admin console. For details, go toAdd an organizational unit.
2. In your external directory, using a standard or custom attribute, define the intended organizational unit path for each user. Use the following format:
   • Don't include the top-level organizational unit.
   • Separate the parent and child organizational units with a forward slash (/).

Example:If you want to add the useryuri@exampleto theSalesorganizational unit that's under theFinanceorganizational unit, you would follow these steps:

1. In the external directory, foryuri@example,set theDepartmentattribute toFinance/Sales.
2. When you set up Directory Sync, clickPlace users in the OU stored as an attributeand add theDepartmentattribute.

Set up required attributes

Confirm or enter the external directory attributes that map to the following user attributes in your Google cloud directory:

• First name
• Last name
• Primary email address

If you change the attributes, you can clickSet defaultProceedto reset them back to their default.

Map any optional attributes

You can map standard and custom user attributes from your external directory to your Google cloud directory. To see frequently used mappings, go toCommon user attribute mappings(below on this page).

1. ForEnter an attribute,enter the user attribute from your external directory.

   If the external directory user attribute is nested, separate the attribute and subattribute with a period (for example,employeeOrgData.division).

2. From the list, select the Google cloud directory user attribute.

   You can map a single external directory attribute to multiple Google cloud directory user attributes. However, you can't map a single Google cloud directory attribute to multiple external directory attributes.

3. (Optional) To map additional user attributes, repeat the steps.

Common user attribute mappings

Here are some common attribute mappings. You don't have to follow these mappings. You can change the attribute in the external directory and map to another attribute in your Google cloud directory.

Related topics

• AD attributes
• Azure AD attributes

1. Choose an option:
   • Send activation email—Users get an email message about activating their new account and setting a password.

     If you select this option, choose whether to send the email to the user's primary or recovery email address. If you select the recovery email address, make sure you added a mapping for the address inStep 3: Map the user attribute(above on this page).

     For more information about what users need to do, go toWhat happens when a user gets an activation email?(below on this page).

   • Do not send an activation email—Users do not get an email.

     Use this option if you want to communicate directly with your users about new accounts or if you use a third-party identity provider (IdP) for authentication. (If you use an IdP, there’s no need for users to set a Google password.)

2. ClickContinue.

What happens when a user gets an activation email?

After the sync, your users get an email message with details about activating their new managed Google Account. When they're ready to sign in to the new account for the first time, users need to complete the following steps:

1. In their original email account, open the email message and clickSign inNext.
2. ClickSendto get a verification code.
3. In their original account, open the verification code message and copy the code.
4. In their new Google account, enter the verification code and clickNext.
5. Accept the Terms of Service.
6. Create a strong password and clickChange password.

If a user is suspended or not found in your external directory (for example, the user's group is deleted in the external directory), you can suspend them in your Google cloud directory.

To suspend users not found in the external directory:

1. Check theSuspend user in Googlebox.

   If you don't want to suspend users, uncheck the box.

2. ClickContinue.

Important:Directory Sync syncs the user's state. If you suspend a user's account but the external directory account is active, the user's account is activated following a sync.

Set the conditions under which a sync is automatically canceled. If the sync exceeds the safeguard limits, the sync is automatically canceled and no users are suspended. No further syncs will run until you manually enable the sync. For more information about safeguards, go toHow safeguards are determined(in the next section on this page).

To set a safeguard:

1. ForSafeguards,selectSet a percentage of usersorSet a total number of usersand enter a percentage or number.
2. ClickSimulate Sync.
3. If a safeguard is triggered, you get a notification with details about the failed sync. You can also view additional details in the audit log.

   For more information, go toUse the alert centerandCheck log events for Directory Sync.

How safeguards are determined

Directory Sync calculates how many user accounts exist in your external directory and compares that with how many accounts might be suspended following a sync. If the amount is larger than the specified percentage or number, the sync is automatically canceled and no action is taken.

Examples

You have 100 external directory users. During a sync, Directory Sync proposes to suspend 12 user accounts and add 3 new accounts.

Example 1:You set a numerical limit of 14 as a safeguard. Because the number of accounts it proposes to suspend (12) are fewer than the safeguard (14), Directory Sync continues with the proposed changes.

Example 2:You set a percentage limit of 10% as a safeguard. Directory Sync compares the proposed 12 candidates for suspension against the percentage limit. Because the percentage of candidates for suspension (12%) exceeds the 10% limit, Directory Sync stops the sync without applying any changes.