GAM issue with unmanaged account - Request had insufficient authentication scopes

75 views
Skip to first unread message

Glenn Morton

unread,
Aug 24, 2022, 1:49:24 PM8/24/22
to GAM for Google Workspace
Hi there,

I have been following this tutorial to migrate an unmanaged account:

I don't get paste the first step before it fails with an error:
> gam check isinvitable glenn@***.family
> glenn@***.family, Check Failed: Request had insufficient authentication scopes.

I have removed and re-added oauth using:
> gam oauth delete
> gam oauth created

I have check the service account and everything is passing.

I have added the domain ***.family (obfuscated for privacy) to my google workspace and verified it.

Is there some form of delegation that is required in order to do this command?

Any help would be much appreciated.

Jay Lee

unread,
Aug 24, 2022, 1:51:22 PM8/24/22
to google-ap...@googlegroups.com
The unmanaged user scope isn't selected by default.

Re-run gam oauth delete/create but when you get to the list of scopes, make sure "Cloud Identity - User Invitations (supports readonly)" is selected by pressing 6 before pressing C. 

Jay Lee


--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0e155d58-4fe7-45db-bba1-b1f3f207b552n%40googlegroups.com.

Glenn Morton

unread,
Aug 24, 2022, 1:55:36 PM8/24/22
to google-ap...@googlegroups.com

Hi Jay,

 

I don’t seem to have that option:

 

---

 

[*]  0)  Calendar API (supports readonly)

[*]  1)  Chrome Browser Cloud Management API (supports readonly)

[*]  2)  Chrome Management API - Telemetry read only

[*]  3)  Chrome Management API - read only

[*]  4)  Chrome Policy API (supports readonly)

[*]  5)  Chrome Printer Management API (supports readonly)

[*]  6)  Chrome Version History API

[*]  7)  Classroom API - Course Announcements (supports readonly)

[*]  8)  Classroom API - Course Topics (supports readonly)

[*]  9)  Classroom API - Course Work/Materials (supports readonly)

[*] 10)  Classroom API - Course Work/Submissions (supports readonly)

[*] 11)  Classroom API - Courses (supports readonly)

[*] 12)  Classroom API - Profile Emails

[*] 13)  Classroom API - Profile Photos

[*] 14)  Classroom API - Rosters (supports readonly)

[*] 15)  Classroom API - Student Guardians (supports readonly)

[ ] 16)  Cloud Channel API (supports readonly)

[*] 17)  Cloud Identity Groups API (supports readonly)

[*] 18)  Cloud Identity OrgUnits API (supports readonly)

[*] 19)  Cloud Storage (Vault Export - read only)

[*] 20)  Contact Delegation API (supports readonly)

[*] 21)  Contacts API - Domain Shared Contacts and GAL

[*] 22)  Data Transfer API (supports readonly)

[*] 23)  Directory API - Chrome OS Devices (supports readonly)

[*] 24)  Directory API - Customers (supports readonly)

[*] 25)  Directory API - Domains (supports readonly)

[*] 26)  Directory API - Groups (supports readonly)

[*] 27)  Directory API - Mobile Devices Directory (supports readonly and action)

[*] 28)  Directory API - Organizational Units (supports readonly)

[*] 29)  Directory API - Resource Calendars (supports readonly)

[*] 30)  Directory API - Roles (supports readonly)

[*] 31)  Directory API - User Schemas (supports readonly)

[*] 32)  Directory API - User Security

[*] 33)  Directory API - Users (supports readonly)

[*] 34)  Email Audit API

[*] 35)  Groups Migration API

[*] 36)  Groups Settings API

[*] 37)  License Manager API

[*] 38)  People API (supports readonly)

[*] 39)  People Directory API - read only

[ ] 40)  Pub / Sub API

[*] 41)  Reports API - Audit Reports

[*] 42)  Reports API - Usage Reports

[ ] 43)  Reseller API

[*] 44)  Site Verification API

[*] 45)  Sites API

[*] 46)  Vault API (supports readonly)

 

     s)  Select all scopes

     u)  Unselect all scopes

     e)  Exit without changes

     c)  Continue to authorization

Please enter 0-46[a|r] or s|u|e|c:

 

---

 

Any ideas why that might be?

 

 

Regards,

Glenn

Ross Scroggs

unread,
Aug 24, 2022, 2:00:06 PM8/24/22
to google-ap...@googlegroups.com
Glenn,

What is: gam version

Ross



--

Glenn Morton

unread,
Aug 24, 2022, 2:01:58 PM8/24/22
to google-ap...@googlegroups.com

Hi Ross,

 

> gam version

> GAMADV-XTD3 6.25.17 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller

> Ross Scroggs <ross.s...@gmail.com>

> Python 3.10.6 64-bit final

> Linux Debian 11 Bullseye x86_64

> Path: /home/glenn/bin/gamadv-xtd3

> Config File: /home/glenn/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain:

Ross Scroggs

unread,
Aug 24, 2022, 2:04:00 PM8/24/22
to google-ap...@googlegroups.com
Glenn,

Send me a Meet/Zoom invitation and I'll help.

Ross



--

Jay Lee

unread,
Aug 24, 2022, 2:10:39 PM8/24/22
to google-ap...@googlegroups.com
Ross, this is the API that was working with client_secrets.json and then it got changed to domain-wide delegation. I believe it's allowed via client_secrets.json again but we never re-added or enabled the scope.

Jay Lee


To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS-AzH%3DgVY8nhkfzs3_eC8iLOdmEd%2B33dz_nf-NdSAVSWw%40mail.gmail.com.

Ross Scroggs

unread,
Aug 24, 2022, 2:16:44 PM8/24/22
to google-ap...@googlegroups.com
Jay,

That's it; updating as we speak.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp9-pcXC92hUG8XVNv4c2oAif7WpO_jnTj-Ew9EMvkC-5w%40mail.gmail.com.


--

Ross Scroggs

unread,
Aug 24, 2022, 2:59:38 PM8/24/22
to google-ap...@googlegroups.com
Glenn,

Get 6.25.19
do: oauth create

Ross
--

Glenn Morton

unread,
Aug 25, 2022, 1:23:45 AM8/25/22
to google-ap...@googlegroups.com

Thanks Ross, will give it a try

Reply all
Reply to author
Forward
0 new messages