Key points
- Identify Common Gap Sources: These include user onboarding and offboarding, OU or group changes, and misconfigured backup policies.
- Establish a User Baseline: Export the full Google Workspace user directory and compare it to your SaaS backup inventory.
- Audit OU and Group Policies: These frequently create backup blind spots, especially when new users or groups are added without updated backup assignments.
- Understand Vault Limitations: Google Vault supports data retention and legal holds but isn’t a backup solution.
- Automate Gap Detection: Use the Google Admin SDK Directory API and Reports API to automatically identify uncovered users and risky deletion activity at scale.
- Document and Govern Remediation: Track backup gaps in a centralized register to support consistent remediation across Google Workspace environments.
Having a comprehensive and structured Google backup coverage gap detection process can have many benefits for MSPs. First and foremost, it can ensure that every licensed user and dataset is protected. Administrators can more easily
- identify misconfigurations or coverage blind spots early,
- document results for audits and QBRs, and
- justify remediation steps or additional SaaS backup investments.
Protect every user and workload with a reliable SaaS backup solution.
A guide on how to check Google backup data
📌 Prerequisites:
- You need to have the Super Admin role or a delegated admin with access to the Google Admin console and Vault.
- If you’re using APIs, you’ll need a Google Cloud project with Admin SDK Directory and Reports APIs enabled.
- OAuth 2.0 credentials for delegated access are required.
- You should have a baseline inventory of users, OUs, and groups for cross-checking.
- You should already have a spreadsheet or documentation platform to record findings.
📌 Recommended deployment strategies:
Method 1: Validate user coverage via Admin Console
- Go to Google Admin Console.
- Navigate to Menu > Directory > Users.
- Click the Download icon in the top right section.
- Select All users.
- You’ll be given a choice to download the data as a CSV file or to put the information in Google Sheets. Select the option most suited to your preferences and organization policies.
- Compare the data from Google Console with the data from your SaaS backup list.
- Flag any mismatched or missing entries. If they’re not in the SaaS backup file, this means that the user isn’t properly tied to a backup policy.
Method 2: Check organizational unit (OU) and group-based exceptions
- Go through the different organizational units and groups used to apply for backup in your organization.
- Ensure that all organizations are covered and that all users are tied to an appropriate backup policy.
- If there are users or groups that aren’t covered, flag them immediately. This can happen if the OU is new or if the users were recently moved to a new group.
- Make sure that your backup policies are consistently applied to all users, groups, and organizational units.
Method 3: Review vault retention policies
- Open Google Vault.
- Go to Retention.
- Confirm that the retention rules for Gmail, Drive, Chat, and Meet are applied consistently to all of your organizational units.
- If the rules aren’t consistently applied, document the gaps.
- Go through your documentation and modify each setting to ensure that the rules are applied consistently across all your organizational units.
Most importantly, keep in mind that while Google Vault helps retain data for compliance and legal hold purposes, it’s not a substitute for third-party SaaS backup. Vault doesn’t guarantee
- point-in-time restores,
- granular recovery, or
- protection against admin misconfigurations.
Method 4: Use the Admin SDK directory API to detect uncovered accounts
You can also use Windows PowerShell to run a query in the SDK directory API to find coverage gaps. (Remember that tokens must be generated using OAuth 2.0 or service accounts with domain-wide delegation.)
Here’s a sample script you can use:
| # Example PowerShell snippet using Google Admin SDK Directory API $uri = “https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500” $headers = @{ Authorization = “Bearer $AccessToken” } $response = Invoke-RestMethod -Uri $uri -Headers $headers $response.users | Select-Object primaryEmail, suspended, orgUnitPath |
“Bearer $AccessToken” should be replaced with a valid API token.
This script will allow you to connect to Google Workspace using the Admin SDK API and show you
- a list of 500 users with their email addresses,
- whether they’re suspended, and
- which organizational units they belong to.
Export the data as a CSV file and compare it against the data in your backup tools. Flag any mismatched or missing accounts to see if there are uncovered users.
Method 5: Use Reports API to spot deletion risks
Frequent deletions and “Empty Trash” actions can compromise recoverability. You can use Reports API to spot actions such as these using this script:
| # === CONFIGURATION === $AccessToken = “<YOUR_ACCESS_TOKEN>” # Paste your OAuth token here $Application = “admin” # ‘admin’ = Admin Console events $EventName = “DELETE_USER” # Type of deletion event $StartTime = (Get-Date).AddDays(-30).ToString(“yyyy-MM-ddTHH:mm:ssZ”) # Last 30 days $OutputCsv = “C:\Reports\UserDeletions.csv”# === INITIALIZE === $uri = “https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/$Application?eventName=$EventName&startTime=$StartTime” $headers = @{ Authorization = “Bearer $AccessToken” }$allEvents = @() $pageToken = $nullWrite-Host “Fetching deletion events from Reports API…”do { $fullUri = if ($pageToken) { “$uri&pageToken=$pageToken” } else { $uri } try { $response = Invoke-RestMethod -Uri $fullUri -Headers $headers -Method Get } catch { Write-Error “API call failed: $_” break }if ($response.items) { foreach ($item in $response.items) { $eventDetails = [PSCustomObject]@{ EventId = $item.id.uniqueQualifier Time = $item.id.time ActorEmail = $item.actor.email ActorType = $item.actor.type EventName = $item.events[0].name TargetUser = ($item.events[0].parameters | Where-Object { $_.name -eq “USER_EMAIL” }).value } $allEvents += $eventDetails } }$pageToken = $response.nextPageToken } while ($pageToken) # === EXPORT === |
This will show you all deletion events in your Google Workspace. Document patterns and ensure Vault rules or backup coverage address those situations.
Method 6: Document findings and build a gap register
When you identify a gap, you must do the following:
- Record the workload/service, user or OU affected, issue to be addressed, and remediation steps.
- Assign people who’ll work to resolve them and give them a deadline.
- Store the register in a shared doc for governance and QBR discussions.
Best practices summary table for Google Workspace backup coverage
| Component | Value Delivered |
| User list export vs. backup list | This will detect unprotected accounts and allow you to address them. |
| OU and group policy review | This prevents misconfigurations and ensures that each organizational unit and group is covered. |
| Vault retention check | This will ensure that Google Vault rules align with your organization’s. |
| Directory API queries | This will automatically detect gaps in your Google Workspace. |
| Reports API audit | This will identify risky deletion trends and give you a chance to address them. |
| Gap register | This will track remediation and encourage accountability. |
Example workflow for daily gap detection
- Deploy a script that pulls a user list via the Admin SDK Directory API.
- Compare the user list to that from your SaaS backup.
- Export discrepancies into a CSV file.
- Trigger ticket creation in PSA software for uncovered accounts.
- Archive results weekly for audits.
NinjaOne integration for managing backup coverage
NinjaOne tools can help you
- run scheduled scripts to query Directory or Reports APIs,
- auto-generate tickets for uncovered accounts,
- store gap registers in NinjaOne Docs for client-facing transparency,
- include coverage compliance in QBR dashboards, and
- automate reminders for quarterly coverage audits.
In particular, NinjaOne Backup—which now comes with SaaS backup capabilities Google Workspace and Microsoft 365—gives teams centralized visibility into possible backup coverage gaps via proactive alerts and a unified management view.
Sign up for a free trial of the software or watch a free demo today.
Automate coverage visibility and gap alerts across Google Workspace and MS 365.
Ensure user accounts are protected with proper SaaS governance
In the end, it’s critical to detect backup coverage gaps in your organization’s Google Workspace so you can rest assured that all the accounts and services you use are protected. For this sort of operation, you can use
- Google Admin console exports,
- Vault retention checks, and
- Admin SDK APIs
to systematically uncover blind spots and document results for clients.
Related Links:
