Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
With the Google Drive Microsoft 365 Copilot connector, your organization in Microsoft 365 can index files that are accessible to anyone in Google Drive, using Microsoft 365 Copilot and Microsoft Search.
This article is for Microsoft 365 administrators or anyone who configures, runs, and monitors the Google Drive Copilot connector.
Capabilities
- Access Google Drive files using the power of semantic search.
- Retain ACLs (Access Control Lists) defined by your organization.
- Customize your crawl frequency
- Create workflows using this connection and plugins from Microsoft Copilot Studio.
Limitations
- Folder, replies & comments aren't indexable.
Prerequisites
Before you create a Google Drive Copilot connector, you must:
1. Be a Google Workspace super admin role or be granted access
Either be granted access by a super admin role or be a user with administrative privileges. You do not need a super admin role for yourself if you have access granted by a super admin role.
Check the user permission in the admin console: Admin center/manage user/user detail.
2. Create a Google Cloud Project
The Google Drive Copilot connector requires a service account key generated by a Google Cloud Platform console project. You can use an existing project you own, or follow the following steps to create a new project:
a. Go to the Manage resources page in the Google Cloud Platform console and click Create Project.
b. In the New Project window that appears, add any project name, organization, and ___location of your choosing.
c. Note the project ID (which is directly below the project name) as you'll need it when enabling APIs in step 3.
d. Click Create.
3. Enable the required API
In the project you created or in your existing project, ensure the following APIs are enabled by going to the link (replacing PROJECT_ID with your project ID) and clicking Enable if not already enabled:
Admin SDK API (admin.googleapis.com)
https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=[PROJECT_ID]
Drive API (drive.googleapis.com)
https://console.developers.google.com/apis/api/drive.googleapis.com/overview?project=[PROJECT_ID]
4. Create a Google Cloud Service Account
a. Go to the Service Accounts page in the Google Cloud Platform console and click the project you created.
b. Click Create Service Account.
c. Enter the service account name, ID, and description (optional), then click Create and Continue.
Note
The project should be automatically populated from the name.
d. Skip Permissions and Principals with access. Click Done.
e. Back on the Service Accounts page for your project, you should now be able to see the service account that was created. Click the three dots below Actions and click Manage Keys.
f. Click Add Key > Create New Key. In the panel that appears, select the key type JSON, then click Create.
g. A private JSON key is saved to your computer.
5. Add the OAuth scopes to your service account
a. Go to Google Workspace Admin console and click Security > Access and data control > API controls in main menu.
b. Click MANAGE DOMAIN WIDE DELEGATION in the section Domain-wide delegation:
c. Click Add new to add required scopes to the service account:
b. Click MANAGE DOMAIN WIDE DELEGATION in the section Domain-wide delegation:
c. Click Add new to add required scopes to the service account:
OAuth scopes (comma-delimited)
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
To obtain the Client ID Google Cloud console, click service account in the main menu, and copy the "OAuth 2 Client ID" of the service account.
Setup
1. Display name
A display name is used to identify each reference in Copilot, helping users easily recognize the associated file or item. The display name also represents trusted content.
2. Add Google Apps ___domain
To sign up for Google Workspace, you need an internet ___domain name, like your-company.com. This ___domain can host a website (www.your-company.com) and email (info@your-company.com). For more information, see What is a ___domain?.
3. Provide Google Apps administrator account email
Enter the email of a Google Apps administrator account in the user@company.com format. It is not the service account but the administrator email of Google Workspace.
4. Service Account Key
Copy and paste the content of the service account key file that you created when you authorized your Microsoft organization to access your users' Google Drive. It isn't the actual key in Google admin, but the entire contents of the JSON file.
5. Roll out to a limited audience
Deploy this connection to a limited user base if you want to validate it in Copilot and other search surfaces before expanding the rollout to a broader audience.
For other settings, like Access permissions, Data inclusion rules, Schema, Crawl frequency, etc., we set defaults based on what works best with data in Google Drive. The default value settings are as follows.
| Page | Settings | Default values |
|---|---|---|
| Users | Access Permissions | All files that are accessible to anyone in Google Drive are visible to all Microsoft 365 users in your tenant, from Microsoft Search or Microsoft 365 Copilot. |
| Content | Index Content | All published posts and pages are selected by default. |
| Content | Manage Properties | To check default properties and their schema, click here. |
| Sync | Incremental Crawl | Frequency: Every 15 mins |
| Sync | Full crawl | Frequency: Every day |
Custom setup
In custom setup, you can edit any of the default values for users, content, and sync.
Users
Access permissions
The Google Drive Copilot connector supports data visible to Only people with access to this data source (recommended) or Everyone. If you choose Everyone, indexed data appears in the search results for all users.
If you choose Only people with access to this data source, you need to further choose whether your users are Microsoft Entra ID-provisioned users or non-AAD users.
To identify which option is suitable for your organization:
Choose the Microsoft Entra ID option if the email ID of Google Drive users is the same as the UserPrincipalName (UPN) of users in Microsoft Entra ID.
Choose the non-AAD option if the email ID of Google Drive users is different from the UserPrincipalName (UPN) of users in Microsoft Entra ID.
Important
- If you choose Microsoft Entra ID as the type of identity source, the connector maps the email IDs of users obtained from Google Drive directly to UPN property from Microsoft Entra ID.
- If you chose "non-AAD" for the identity type, see Map your non-Azure AD Identities for instructions on mapping the identities. You can use this option to provide the mapping regular expression from email ID to UPN.
- Updates to users or groups governing access permissions are synced in full crawls only. Incremental crawls do not currently support the processing of updates to permissions.
Content
Inclusion and exclusion
Use exclusion and inclusion rules to control what data Microsoft crawls from Google Drive. Exclusion rules allow Microsoft to crawl all content except the specified items, while inclusion rules limit crawling to only the specified items. If both rules are applied to the same content, that content isn't indexed because exclusion rules take priority.
Supported exclusion rules
| Exclusion type | Description |
|---|---|
| Shared Drive ID | Exclude content from being crawled by specifying shared drive IDs. |
| Google Group | Files from group members’ personal drives and shared drives accessible to all group members will be excluded from crawling. |
| Folder ID | Files from group members’ personal drives and shared drives accessible to all group members will be excluded from crawling. |
Supported inclusion rules
| Inclusion type | Description |
|---|---|
| Crawl shared drives only | Toggle on to crawl files from shared drives only. |
| Google group | Only files from group members’ personal drives and shared drives accessible to all group members will be crawled. |
| Shared Drive ID | Only allow Microsoft to crawl certain shared drives and underlying folders. No private drives are crawled unless a Google Group is specified in the inclusion rules. |
| Date range | Only files last modified within the selected time range will be crawled. If the end date is left blank, Microsoft will crawl the files created/modified after the start date. If the start date is left blank, Microsoft will crawl the files created from the earliest time. |
Shared drives are treated as folders. To get the shared drive ID, open the shared drive in Google Drive and copy the portion of the URL after drive.google.com/drive/folders/. Paste this ID into the content filter.
To exclude or include specific folders, you’ll need the folder ID. Open the desired folder in Google Drive, then copy the part of the URL after drive.google.com/drive/folders/. Paste this ID into the content filter.
Manage properties
You can add or remove available properties from your Google Drive data source. Assign a schema, change the semantic label, and add an alias to the property. Some properties are indexed by default.
| Default property | Label | Description | Schema |
|---|---|---|---|
| file.name | Title | File Name | Search, Query, Retrieve |
| file.fileExtension | ItemType | The type of indexed item | Query, Retrieve |
| file.description | A short description of the file. | ||
| file.fileExtension | fileExtension | Output only. The final component of fullFileExtension. This is only available for files with binary content in Google Drive. | Query, Retrieve |
| file.size | Output only. Size in bytes of blobs and first-party editor files. Won't be populated for files that have no size, like shortcuts and folders. | ||
| file.parents | ParentId | The ID of the parent folder containing the file. A file can only have one parent folder; specifying multiple parents isn't supported. | Query, Retrieve |
| file.owners | createdBy | Output only. The owner of this file. Only certain legacy files may have more than one owner. This field isn't populated for items in shared drives | Search, Query, Retrieve |
| file.owners | authors | Query, Retrieve | |
| file.webViewLink | url | Output only. A link for opening the file in a relevant Google editor or viewer in a browser. | Retrieve |
| file.createdTime | createdDateTime | The time at which the file was created (RFC 3339 date-time). | Query, Retrieve |
| file.modifiedTime | lastModifiedDateTime | The last time the file was modified by anyone (RFC 3339 date-time). | Query, Retrieve |
| file.lastModifyingUser | lastModifiedBy | Output only. The last user to modify the file. This field is only populated when the last modification was performed by a signed-in user. | Search, Query, Retrieve |
| Created from fileExtension | iconUrl | A static, unauthenticated link to the file's icon. | Retrieve |
| folders.name | containerName | The name of the shared drive that the file belongs to | Query, Retrieve |
| folders.webViewLink | containerURL | URL to access the parent folder | Query, Retrieve |
Sync
You can configure full and incremental crawls based on the scheduling options present here. By default, incremental crawl is set for every 15 minutes, and full crawl is set for every day. If needed, you can adjust these schedules to fit your data refresh needs.
Troubleshooting
Invalid credentials detected. Check the credential info and check the permissions of the service account. This error occurs when the service account lacks the necessary permissions for Google Drive access. Check the credentials info of the account and ensure that they're correctly filled in on the setup page.
The required permissions for users/files are missing.
Authentication error: one or more required OAuth scopes for your service account are missing. Your service account must include both API scopes:
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/drive.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.reports.audit.readonlyFailed to capture file information. Ensure the workspace isn't empty and has files accessible to the admin. During the connector setup, at least one file must be present in your organization's workspace to test the connection successfully.
Next steps
After publishing your connection, you can review the status in the Connectors section of the admin center. To learn how to make updates and deletions, see Manage your connector.
If you have any other issues or want to provide feedback, reach out to us at Microsoft Graph | Support.