Organization-wide Access with Google and Microsoft

Nov 4, 2020

Introducing Xkit's new Google Service Account and Microsoft Admin connectors

If you're building B2B software that's used by an entire organization, the integrations you build take on a different character. Rather than convincing each individual user to connect your software to some service, you're dealing with the IT administrator and helping them get integrated as part of your onboarding process.

This style of organization-wide integrations is supported by major software vendors like Google and Microsoft, but it strays significantly from a typical OAuth2 authorization code flow that most of us are familiar with.

So when an early customer requested this style of organization-wide integration, we jumped at the chance to simplify the process of connecting B2B software to the accounts of an entire company.

And now we're publicly launching our Google Service Account and Microsoft Admin connectors!

Google Service Accounts

Getting access to an entire company's Google Workspace (formerly G Suite) account can be a huge undertaking. In addition to the Service Account setup for the developer, it requires the IT administrator of the Google Workspace account to manually input the Client ID of your service account and all of the permissions you require. And since this entire process takes place out of band, you don't get any feedback on whether it's configured correctly. As you can imagine, this leads to confusion, support tickets, and ultimately, a delayed onboarding process for your product.

Once your customer is setup, the code on your end required to get access tokens is entirely different than a normal OAuth2 process for Google Accounts, and includes the need to pick a specific user to impersonate.

The new Xkit Google Service Account connector makes all that easy: just follow the instructions for configuring a Google Service Account in Xkit and Xkit handles the rest! We take the IT administrator through a guided flow to easily copy and paste the right values, and we test that everything was set up correctly. That means no need to have a special support article covering Service Accounts, and no need to handhold your new customer through setup. Your customers will get up and running in seconds with no support needed from you.

Not only that, but we handle token generation and refresh too. Every time you want to access the organization, you just make a request to Xkit and you'll have a functioning access token available to you without having to worry about how to generate them.

Google Service Accounts are designed for organization-wide access, which they accomplish through user impersonation. Xkit makes this easier for you in two ways:

  1. We automatically include a Directory scope, so that you can use the Directory API to query for all of the users in a Google Workspace organization
  2. We let you specify which user you want to impersonate when requesting tokens
curl --user publishable_key:secret_key \{your_context_id}/connections/google-calendar-admin?

With these two in place, you can get access to any user in the organization, easily.

Microsoft Graph takes a different (and simpler) approach to organization-wide access, which they call Admin Consent, Application access, or sometimes Service Accounts. You have to request a set of Application Permissions rather than Delegated Permissions, and it uses a separate endpoint to request admin consent. Once the administrator has consented, your application will get back only the ID for the organization that granted access, which you'll need to persist in order to request access tokens.

Again, with our new Microsoft Admin connector, you can skip all of that: our guide walks you through configuring your application with Microsoft, and from there it will feel just like any other Xkit connector. Your customer's IT Administrator user gets taken through a consent flow, and we'll generate tokens that you can request at any time.

Xkit Groups

Note: Xkit Groups has been replaced by Xkit Contexts.

Both of our new connectors work even better when paired with Xkit Groups. With Groups, your customers get a shared view of what's been connected, and you get access to a simpler, group-wide API that lets you get access tokens for anyone in the company. With organization-wide access granted via Google and Microsoft, and organization-wide tokens, you get an entire toolkit for building native B2B Saas integrations.

You can start building for free, and if you have other organization-wide connectors you'd like us to add, please let us know!

Building CRM integrations?

Xkit delivers deep integrations for every CRM with one build.

Get access ▶