Why is there a MonitorWorkspace project in my Google Cloud?

If you see a Google Cloud project named MonitorWorkspace (project ID starting with mw-) in your organization, here is why.

What is MonitorWorkspace?

MonitorWorkspace is a Google Workspace monitoring and management platform built for IT administrators. It helps organizations:

  • Monitor user accounts, last logins, and security status (2FA enrollment, suspended accounts)
  • Audit and clean up Google Groups (stale groups, external members, empty groups)
  • Transfer email between users during employee offboarding
  • Export and archive Google Chat conversations
  • Track Google Workspace license assignments and reclaim unused seats
  • Maintain a full audit trail of all admin actions

Learn more at monitorworkspace.com.

Why was this project created?

MonitorWorkspace uses Google domain-wide delegation to securely access your organization's Google Workspace data (users, emails, chats, groups) on behalf of your admin. This is the same mechanism used by Google's own recommended integrations.

Domain-wide delegation requires a Service Account inside a Google Cloud project. During onboarding, your administrator chose the “Set this up for me” option, which automatically:

  1. Created a new Google Cloud project in your organization
  2. Created a service account inside that project
  3. Retrieved the service account's Client ID for domain-wide delegation setup

This was done using your administrator's Google account with their explicit authorization. The one-time cloud-platform scope was requested during the OAuth consent flow, and was not retained after setup completed.

Who created it and when?

The project was created by your organization's administrator during the MonitorWorkspace onboarding process. You can identify the creator and timestamp by checking the project's labels in the Google Cloud Console:

  • created-by — the email address of the admin who authorized the setup
  • org-domain — your Google Workspace domain
  • appmonitorworkspace
  • purposedomain-wide-delegation

To view these labels, open the Google Cloud Console → Resource Manager, find the project (its ID starts with mw-), and click on it to view its labels.

What does the project contain?

The project contains a single resource:

  • Service Account (monitorworkspace-sa) — used for domain-wide delegation to access Google Workspace APIs

The service account has no IAM roles assigned within your GCP organization. It can only access Google Workspace data through the OAuth scopes you authorized in the Admin Console's domain-wide delegation settings. It cannot access your Cloud resources, billing, VMs, databases, or any other GCP services.

What OAuth scopes are authorized?

Your admin authorized the following scopes during the domain-wide delegation setup in the Google Workspace Admin Console. These control exactly what data MonitorWorkspace can access:

  • admin.directory.user.readonly — view user accounts (monitoring dashboard)
  • admin.directory.group.readonly — view Google Groups (group health audit)
  • admin.directory.group.member — manage group memberships (group cleanup)
  • admin.reports.usage.readonly — view usage/storage reports
  • gmail.readonly — read emails (for email transfer during offboarding)
  • gmail.insert — deliver transferred emails to the destination inbox
  • gmail.labels — create labels for organizing transferred emails
  • chat.spaces.readonly — view Chat spaces (chat export)
  • chat.messages.readonly — view Chat messages (chat export)
  • apps.licensing — view and manage license assignments
  • apps.order.readonly — view subscription plan and seat counts

You can revoke any of these scopes at any time from the Google Workspace Admin Console → Domain-wide Delegation.

Is this safe?

Yes. Here's why:

  • Your admin authorized it — the project was created using your administrator's own Google account during an explicit OAuth consent flow
  • No credentials stored — MonitorWorkspace does not store your admin's Google Cloud access token. The cloud-platform scope was used only during the one-time setup and was discarded
  • Minimal permissions — the service account has no GCP IAM roles. It can only access Workspace data through the scopes you explicitly authorized
  • Fully revocable — you can remove the domain-wide delegation entry from your Admin Console at any time to immediately revoke all access
  • Deletable — you can delete the GCP project entirely from the Cloud Console if you stop using MonitorWorkspace

Can I delete this project?

Yes, but doing so will break the MonitorWorkspace integration. If you no longer use MonitorWorkspace:

  1. First remove the domain-wide delegation entry from your Admin Console
  2. Then delete the GCP project from the Cloud Console → Resource Manager

Contact

If you have questions or concerns about this project, contact us at support@monitorworkspace.com or visit our support page.