Configure Archive Vault and add the Archive Vault step to your offboarding workflow


The Archive Vault Configuration section is only available for Google domains.


You can configure CloudM Automate to archive a user's Vault data as part of an Offboarding Workflow. The data will be indexed in the same way as other archived data, and will be displayed under a "Vault" label.

Please note that, due to Google Export Quota limitations (limiting archiving to 1-2 users / threads at a time), you will need to set up multiple Google Cloud Platform projects to archive multiple users at once.

Note, only deleted items are archived from Vault. 


Set up a Google Cloud Platform Project

This method uses a Powershell script to automate the majority of the process. It is easier and quicker than the full manual process, and less prone to error.

Before you start, you will need:

  • An account in GCP with permissions to create a project (resourcemanager.projects.create role) or owner on existing project,
  • The ability to run Powershell Script as Administrator,
  • A browser window open and authenticated into the GCP tenant. This must be the last browser tab you have used.


To run the Powershell:

  1. Install Google Cloud SDK using the instructions provided by Google here,
  2. Ensure that the Google Cloud SDK is initialized by running the “gcloud init” command, and follow the instructions.
  3. Once Google Cloud SDK has finished initializing, download the GCP_Vault_Configuration.ps1 file to your desktop.
  4. Click on your Desktop Search icon (next to the Start Icon) and search for Windows Powershell.
  5. Select Run as Administrator.
  6. On the GCP_Vault_Configuration.ps1 file, select Shift and right click. Select Copy as Path.
  7. In the Windows Powershell window, enter CD and a space, select paste and then click the up button on your keyboard until you see the first half of the file path and select enter. It will look similar to: 
    • CD C:\Users\(your name)\Desktop
  8. On the next line, click the up button on your keyboard until you see the second half of the file path and select enter. It will look similar to.
    • & ‘.\GCP_Vault_Configuration.ps1.
  9. On the Project ID line, enter a unique Project ID name.
    • ProjectId must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. It must start with a lower case letter, followed by one or more lower case alphanumerical characters that can be separated by hyphens. It cannot have a trailing hyphen.
  10. On the Service Account ID line, enter a unique Service Account name. You can use the same name as the Project ID, or use the same naming conventions.
  11. Now, on the Output Path line, specify where the JSON Key and Log will be exported to on your computer (e.g. C:\\CloudM GCPVaultConfig). 
  12. The Powershell will run and provide the following details manual instructions that you must carry out.
  13. For Step 1 - Configure Google Workspace Domain Wide Delegation using the following ClientId and Scopes, copy the displayed URL in the Powershell window and paste into a browser.
  14. On the Security > API Controls > Domain-wide Delegation screen, select Add new to display the Add a new client ID pop-up box.
  15. Copy and paste the Client ID and OAuth Scopes from the Powershell window into the specified fields and select AUTHORIZE.
  16. Now, in Step 2 - Service Account details for use in CloudM Migrate, copy the Service account email address that you need later when configuring the platform in CloudM Migrate.
  17. The JSON key file that you will also need when configuring the platform in CloudM Migrate can be found in C:\CloudM\GCPVaultConfig, along with a gcp_vault log for the process.


Add a project in Archive

  1. In CloudM Automate, navigate to Archive > Vault Configuration.
  2. Select + Add access key.
  3. Upload the Service Account JSON key into the Service Account for Google Vault field.
  4. Enter the email address of an administrator in the Admin email field.
  5. Select Test Connection to check that connection has been successful.
  6. Select Save.
  7. The project name will be displayed, tabbed at the top of the screen.


Add the Archive Vault step to your offboarding workflow

The following instructions assume that the Archive Vault step will be added to an existing offboarding workflow, and can be added in addition to the standard Archive step. Please refer to the Offboarding Workflows article on our Knowledge Base for more information on other steps that can be added.

To add the Vault Archive step to an offboarding workflow:

  1. Sign into CloudM Automate.
  2. Click on Automate Offboarding Workflow
  3. Select the Root Organizational Unit (listed at the top of the list and denoted with an office block icon) or a child OU listed below the Root OU
  • If you want to apply the Archive Vault step to a Smart Team, select the Smart Team tab and click on the required Smart Team.
  • All child Organizational Units will automatically inherit the policy set from for the Parent Organizational Unit unless you set an explicit Offboarding Policy.
  • Where the Organizational Unit is not the Root, select Explicitly set Offboarding Policy to edit the process for the selected Organizational Unit.
  • If you have selected a Smart Team, ensure that the workflow is set to Enable so that the policy will take precedence over the user’s Organizational Unit policy.
  • Select Add Offboarding Step.
  • Navigate to the Archive Vault step and select the checkbox.
  • Select whether to archive emails, chat and / or drive documents by selecting the checkbox against the relevant setting. Mail and Drive are selected by default, but you will need to manually check the Archive chats option to enable Chat.
  • Select Add to Workflow.
  • The Archive Vault step will now appear in the workflow.
  • Select Save Rules to confirm any changes.


Was this article helpful?
0 out of 0 found this helpful