Email Importing - Google
Configure Google Workspace or Gmail mailbox importing using OAuth2 authentication for Help Desk Departments.
This guide covers Google Cloud Console project setup, OAuth consent screen configuration, and Manage1to1 department authorization.
To configure Google OAuth email importing, you need the Manage Settings permission assigned to your role in Manage1to1, plus access to Google Cloud Console for your domain.
Overview
Manage1to1 can connect to Gmail using OAuth2 for help desk email importing. This is used only for the ticketing system to import inbound messages and convert them into tickets or ticket replies.
OAuth2 is recommended because it avoids storing a mailbox password and aligns better with Google Workspace security controls.
Why use Google OAuth instead of traditional IMAP:
- Enhanced security - No password storage in Manage1to1
- MFA compatibility - Works with Google Workspace multi-factor authentication
- Token-based access - OAuth tokens can be revoked without changing mailbox password
- Audit trail - Google Cloud Console provides OAuth authorization logs
Email importing is used only for the help desk ticket system. It does not change how Manage1to1 sends outbound emails to administrators or end users.
Before you start
You will need:
- Access to Google Cloud Console
- A Gmail or Google Workspace mailbox to use for the department
- Your Manage1to1 tenant URL
- The OAuth2 callback URL shown in Manage1to1 under the department configuration
If you have multiple departments with different Gmail addresses, each department must be authorized separately under the corresponding Google account. Each mailbox generates its own OAuth token.
Step 1: Create your Google project
- Open Google Cloud Console.
- Create a new project dedicated to Manage1to1 help desk importing.
- Navigate to APIs & Services, then Credentials.
This project should be used only for help desk importing so credentials and audit history remain clean and isolated.
Step 2: Configure the OAuth consent screen
- In APIs & Services, open OAuth consent screen.
- Choose External as the user type.
This allows the OAuth flow to work even when the mailbox is not restricted to a single internal org configuration.
- Complete the required fields.
- Add your Manage1to1 domain to Authorized domains.
Your authorized domain should be your tenant domain, for example: yourschool.manage1to1.com.
If your Manage1to1 domain is not listed as an authorized domain, authorization can fail or produce unexpected consent behavior.
- Save the consent screen configuration.
Step 3: Create an OAuth client ID
- Go to APIs & Services, then Credentials.
- Select Create Credentials, then choose OAuth client ID.
- Choose Web application as the application type.
- Provide an application name that clearly identifies the purpose, for example:
Manage1to1 Help Desk Importing.
Step 4: Add the redirect URI from Manage1to1
- In the OAuth client settings, find Authorized redirect URIs.
- Add the OAuth2 Callback URL shown in Manage1to1:
Navigate to Settings, then Help Desk Settings, then Help Desk Departments. Open a department (or create one) and locate the callback URL presented for Google OAuth configuration.
The redirect URI must match exactly. Any mismatch will prevent authorization and the refresh token will not be generated.
- Save the OAuth client.
After creation, Google will provide:
- Client ID
- Client Secret
Keep both available. You will enter them into Manage1to1.
Step 5: Configure Gmail importing in the department
In Manage1to1:
- Go to Settings, then Help Desk Settings, then Help Desk Departments.
- Create a new department or edit an existing one.
- In the Mail Server Information area, select Google as the provider.
- Select OAuth2 as the authentication method.
- Enter:
- The Gmail address that will receive department emails
- The Client ID
- The Client Secret
At this point, the OAuth refresh token field should still be empty.
Step 6: Authorize the mailbox
- Click Authorize.
- When prompted by Google, choose the same Google account as the mailbox being configured.
If you are signed into multiple Google accounts, the most common failure here is authorizing the wrong account. The refresh token that comes back will only work for the account you authorized.
- Approve access when Google requests permissions.
If you see “This app isn’t verified”
Some environments will show a Google warning that the app is not verified.
Proceed by selecting Advanced, then continuing to your application to complete the flow.
This is a Google UI warning, not a Manage1to1 error. The goal is to complete authorization so the refresh token is generated.
Step 7: Confirm the refresh token is generated
After authorization completes successfully, Manage1to1 will populate the OAuth Refresh Token field automatically.
If the refresh token field remains blank after authorization, importing will not work. The most common causes are a redirect URI mismatch or authorizing the wrong Google account.
Step 8: Save settings and validate
- Click Save Settings.
- Manage1to1 will re-test the configuration during save.
If validation fails:
- Confirm redirect URI matches exactly in Google Cloud Console
- Confirm Client ID and Client Secret are correct
- Confirm the authorized Google account matches the mailbox entered in the department
- Repeat the authorization step if needed
Once saved successfully, Manage1to1 will begin importing mail for that department on its normal interval.
Testing Google OAuth Importing
After configuration, verify email importing works correctly:
- Send test email to department Gmail address from external account
- Wait for import cycle (5-15 minutes typically)
- Check Help Desk for new ticket matching test email subject
- Reply to ticket through Manage1to1 interface
- Verify email delivery - Check that reply arrives at original sender's inbox
- Check sender address - Confirm reply shows department sender email as From address
If test ticket is not created:
- Verify import cycle has run (wait 15-20 minutes)
- Check Gmail mailbox via web interface to confirm test email arrived
- Verify OAuth refresh token field is populated in department configuration
- Review validation errors during department save
- Re-authorize if refresh token is blank
- Contact Manage1to1 Support for import log review
Common Questions
Q: Do I need a separate Google Cloud project for each department? No. One Google Cloud project can support multiple departments. However, each department mailbox must be authorized separately to generate its own OAuth refresh token.
Q: What permissions does Manage1to1 request from Google? Manage1to1 requests read and delete permissions for email messages in the authorized mailbox. This allows importing messages and removing them after successful ticket creation.
Q: Can I revoke OAuth access after configuration? Yes. Revoke access through Google Account settings or Google Cloud Console. Email importing will stop immediately. To restore importing, re-authorize the mailbox in Manage1to1.
Q: What happens if the OAuth token expires? OAuth tokens should refresh automatically. If importing stops unexpectedly, re-authorize the mailbox in department configuration to generate a new refresh token.
Q: Why am I seeing "This app isn't verified" when authorizing? Google shows this warning for apps not published in their verification program. This is expected. Click Advanced and proceed to your application to complete authorization. This warning does not affect functionality.
Q: Can I use the same Gmail address for multiple departments? No. Each department must have its own unique mailbox. Using the same mailbox causes routing issues and prevents proper ticket attribution.
Q: Do I need to configure anything in Gmail settings? No. OAuth authorization grants necessary permissions automatically. You don't need to enable IMAP or configure application-specific passwords.
Q: What if I'm signed into multiple Google accounts? During authorization, carefully select the Google account matching the department mailbox. Authorizing the wrong account is a common issue - the refresh token only works for the account you authorized.
Q: Can I use a Google Group email address instead of a mailbox? No. OAuth importing requires a real Gmail mailbox, not a Google Group. Google Groups don't support IMAP access or OAuth authorization needed for importing.
Q: How do I update the Client ID or Client Secret after initial setup? Edit the department configuration, update the fields, re-authorize the mailbox (this generates a new refresh token), and save. The new credentials take effect immediately for subsequent import cycles.