Solving Error 400: admin_policy_enforced if you have Google Workspace

[Esqy]

I've seen SO many questions about this, so I'm hoping to do a little write up to make it easier for others.

The 400 error is basically saying 'Hey, GYB isn't allowed in'.

If you follow the instruction on the Github and on the program itself, it gets you so far, but heres my experience:

Downloaded, installed and navigated to the folder on the command line. Simples.

gyb --action create-project --email your...@gmail.com

As per the instructions, with my email in there.

That set me up a Google Cloud Service, and was easy enough to follow the instructions.

You end up looking at a Cloud Platform Screen called 'Credentials' 

On the left, click 'OAuth consent screen'. On this, Click on 'Make External' and click 'External'. App name 'GYB', support email and developer email can just be your own - You don't need to fill in anything else.

Next screen, Leave blank and 'Save and Continue'

Next screen 'Test Users'. Here you want to 'ADD USERS', and pop in your email address (The one you use for Google Workspace)

Click '+ CREATE CREDENTIALS' then 'OAuth client ID'. Application Type is 'Desktop App', Name 'GYB'. CREATE. 

You then get a popup with the credentials the GYB program needs (Client ID and Secret) - Paste them in etc.

When you OK on the site, it will vanish and you'll have GYB listed in the OAuth section.

Have a glass of water. It's important to stay hydrated.

Now, That part is done Keep that window open, as you'll need it in a sec. Next bit is to authorise your workspace. 

So, head over to admin.google.com and log in as you normally would.

Click 'Home', 'Security', 'API controls' (Last on will be on the left side menu)

Click 'Manage Third Party App Access'

Click 'Configure New app' and 'OAuth App name or Client ID'.

Remember we left that window open? Pop back there (should be the 'Credentials' screen) and there is a little Copy Logo next to the client ID. Click it.

Back to Workspace, paste that into the search box thats waiting for you. GYB should appear below, Click it and 'Select'

Make sure both boxes are ticked. 

Click 'Trusted' then 'Configure'

You are DONE!

Run your gyb --email your...@gmail.com --action estimate

and follow the instructions.

Sorted.

So, Tab

[Boris Shor]

This was the best guide on this forum for dealing with the 400 error.

I would say what isn't the most obvious thing is that if you're backing up one user's emails in the Workspace, and it isn't the administrator's email, then you need to login to "admin.google.com" as the administrator, not as the user that's being backed up.

[Boris Shor]

I remember one more thing that's important and not obvious from the instructions. (This is going from my memory so it may not be perfectly precise) Near the Oath screen, after you click External, you are presented with two options, Testing and Production. Testing is the option you should choose, and then you enter the email address into Test Users as per the instructions. There are 100 slots if you've come to the right place.