Managing multiple orgs via GAM

Vee Fam

unread,

Feb 7, 2022, 9:32:47 AM2/7/22

to GAM for Google Workspace

Hi All,

I'm an admin for multiple orgs that use Google Workspace. Is it possible to manage multiple orgs from the terminal using standard GAM? If not, is it possible with Advanced GAM?

Jay Lee

unread,

Feb 7, 2022, 9:38:37 AM2/7/22

to google-ap...@googlegroups.com

Yes, it's possible.

You need to make your GCP project external and allowlist all of your admin emails so they can authorize GAM. https://support.google.com/cloud/answer/10311615?hl=en
You can use one oauth2service.json file for all domains, just run "gam user <email> check serviceaccount" for a user in each of your domains and follow the provided URL to authorize GAM domain-wide delegation for the domain.
You need to create separate oauth2.txt admin credentials per domain but they'll all use the same client_secrets.json you created and made external in the first step. You can rename oauth2.txt file when switching between domains or you can set the OAUTHFILE environment variable to point at the correct file for the domain. For example, on Linux, I do something like:

export OAUTHFILE=oaauth2.txt-somedomain.com
gam info domain
export OAUTHFILE=oauth2.txt-anotherdomain.com
gam info domain

For moe info, take a read through:

https://github.com/GAM-team/GAM/wiki/OAuthKeyManagement

Jay Lee

On Mon, Feb 7, 2022 at 9:32 AM Vee Fam <sfa...@taskforce.org> wrote:

Hi All,

I'm an admin for multiple orgs that use Google Workspace. Is it possible to manage multiple orgs from the terminal using standard GAM? If not, is it possible with Advanced GAM?

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/12dfdc29-6567-4a34-aa8d-1771da86c75bn%40googlegroups.com.

Ross Scroggs

unread,

Feb 7, 2022, 9:38:59 AM2/7/22

to google-ap...@googlegroups.com

Vee,

In Standard GAM you manipulate environment variables, in Advanced GAM you define your multiple orgs in gam.cfg and use a command line argument

to switch between orgs. https://github.com/taers232c/GAMADV-XTD3/wiki/gam.cfg#multiple-customers-and-domains

Ross

--

ross.s...@gmail.com

On Feb 7, 2022, at 6:14 AM, Vee Fam <sfa...@taskforce.org> wrote:

Hi All,

I'm an admin for multiple orgs that use Google Workspace. Is it possible to manage multiple orgs from the terminal using standard GAM? If not, is it possible with Advanced GAM?

Vee Fam

unread,

Feb 10, 2022, 1:50:39 PM2/10/22

to GAM for Google Workspace

Thanks Jay and Ross. Great info.

MDP

unread,

Aug 22, 2022, 3:22:35 AM8/22/22

to GAM for Google Workspace

Hi there,

I've done as described here (make the client external, add the admin emails) and am still getting some errors. First, authorizing access to the account requires checking off individually all the APIs, which I've never seen on a GAM consent screen before. On submit I then get "Authorization Error | Error 400: invalid_request | Account restricted."