👥 Recipe · User & Group Management

Enable Admin SDK API and list Google Workspace group members

Search for a group by name, paginate through its full membership, and export the roster to CSV using the Google Admin Directory API

Complexity

Intermediate

Impact

user-management + audit + reporting + google-workspace

Context

Why This Matters

Admins are frequently asked to produce the definitive list of who belongs to a company-wide distribution or security group — e.g. "all employees", "all managers", or a department roster. While the Google Admin console exposes this in the UI, it tops out at a few hundred rows, does not export cleanly, and forces you to click into each group one at a time.

This recipe walks through the programmatic path: enabling the Admin SDK API in your Google Cloud project, granting the right OAuth scopes, locating a group whose display name may not exactly match what the requester called it, and paginating the members endpoint to export a complete, sorted CSV.

Run this recipe when you need an auditable snapshot of group membership for access reviews, HR headcount reconciliation, license reviews, or mail-merge distribution lists.

Expected Outcomes

You will have:

The Admin SDK API enabled in your Google Cloud project (a one-time prerequisite).
Confirmed the correct group email when the display name is ambiguous (e.g. "all employees" → sysaid-all@domain.com).
A complete, paginated list of group members — including nested groups, suspended accounts, and external members.
A sorted CSV export (email,role,status,type) suitable for HR or audit handoff.
A reusable script you can point at any group email in the future.

Risks & Considerations

Warnings & gotchas

Admin SDK API must be enabled. The first call returns HTTP 403: Admin SDK API has not been used in project <N> before or it is disabled. After enabling, wait 1–2 minutes for propagation before retrying.
Scope consent is separate from API enablement. Granting admin.directory.group.readonly and admin.directory.group.member.readonly is a distinct step — a 403 after enabling the API usually means missing scopes.
Group display names are not unique. A request for "all employees" may resolve to Sysaid All, All Managers, Engineering All, etc. Always confirm with the requester before exporting.
Query syntax is picky. The query parameter on /groups does not support name:value like the users endpoint — it only accepts memberKey=. Use client-side filtering on the full list instead.
Pagination is required. Default maxResults is 200. A group with 234 members will silently truncate unless you follow nextPageToken.
Privacy. Member email lists are sensitive. Store the CSV in a restricted location and purge after use per your data retention policy.
Nested groups. If a member has type=GROUP, the roster is not flat — you may need to recursively expand to get the true user set.

Required Permissions

Permission	Why It's Needed
Admin SDK API enabled in GCP project	Required before any Directory API call will succeed — API is disabled by default.
https://www.googleapis.com/auth/admin.directory.group.readonly	List and read group metadata (name, email, member count).
https://www.googleapis.com/auth/admin.directory.group.member.readonly	List members of a specific group.
Google Workspace Super Admin or delegated Groups Admin role	Required to invoke Directory API endpoints with <code>customer=my_customer</code> or <code>domain=</code> parameters.

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

List all members of the {group_name} group in Google Workspace and export the roster to CSV. If the exact group name is ambiguous, show me candidate matches first so I can confirm before exporting.

Try in Dex CoAdmin

For End Users

How an employee would ask Dex for help

Can you send me the list of people in the {group_name} email group?

Try in Dex Playground