Technical Tutorial: How to Enable Gemini Enterprise for Educational Institutions with Microsoft 365
Gemini Enterprise for educational institutions connects Microsoft 365 to Google Cloud to build secure AI agents. Learn how to enable this technical MVP.
Fabiano Brito
CEO & Google Cloud Architect, Autenticare
Gemini Enterprise for educational institutions is the application of Google Cloud’s enterprise AI platform in an educational context, allowing universities and schools to connect their existing data repositories to build secure conversational agents. Unlike a vertical product exclusively for education, it leverages the robust Gemini Enterprise infrastructure configured to index academic and administrative collections, ensuring the agent’s responses are strictly grounded in institutional documents.
For IT teams looking to enable gemini enterprise educação, the initial challenge is establishing a secure bridge between the Google Cloud ecosystem and Microsoft repositories. To accelerate this adoption and ensure architectural best practices, many institutions turn to a specialized fábrica de agentes. This tutorial details the step-by-step process to configure the gemini enterprise microsoft connector and deliver a functional mvp gemini enterprise educação.
60 days
is the maximum timeframe for data requested for deletion by the user to be removed from Google's systems, according to the security overview.
MVP Implementation Phases
Implementing a Gemini Enterprise MVP in an educational institution requires strict configuration of access controls, APIs, and connectors. The process is divided into seven technical phases, from initial provisioning in Google Cloud to security and LGPD compliance validation.
Prerequisites and IAM
Before starting, you must secure Gemini Enterprise licenses and an active Google Cloud project. In IAM (Identity and Access Management), assign the exact roles: roles/discoveryengine.agentspaceAdmin for the platform administrator, roles/discoveryengine.editor for the service account that will configure the data stores, and roles/discoveryengine.agentspaceUser for the MVP end users. On the Microsoft side, a Microsoft 365 tenant with Global Administrator or Application Administrator privileges in Entra ID is required.
Enable Google Cloud APIs
The second step is to enable Gemini Enterprise in the Google Admin Console and activate the official APIs required for the MVP. The required API subset includes Discovery Engine (the core of Agentspace), Cloud Resource Manager, Cloud Storage, IAM, and Vertex AI. Activation can be done via the terminal using the command below.
gcloud services enable discoveryengine.googleapis.com \
cloudresourcemanager.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
aiplatform.googleapis.comglobal, us, and eu. Configure your project accordingly.
App Registration in Microsoft Entra ID
For Google Cloud to access the institution's documents, register an application in Microsoft Entra ID (formerly Azure AD) for OAuth 2.0 authentication. Generate the Client ID and Client Secret. Next, configure the Redirect URI to point to the specific Agentspace connector endpoint, ensuring a secure token flow.
Configure Connectors in Agentspace
Access the Agentspace console and add the data sources. The connectors support different operation modes: Federated Search (real-time search without ingestion), Data Ingestion with OAuth 2.0, and Data Ingestion with Federated Credentials. Check the official documentation for SharePoint Online and OneDrive for the exact tenant URL parameters.
OAuth 2.0 Permissions Matrix
Properly configuring permissions in Microsoft Graph and specific SharePoint APIs is the most common point of failure in educational IT integrations. The tables below detail the exact scopes required for each operation mode, enforcing the principle of least privilege.
Permissions for SharePoint Online
| Operation Mode | Microsoft Graph API | Microsoft SharePoint API |
|---|---|---|
| Federated Search | None | (Delegated) Sites.Search.All, AllSites.Read |
| Data Ingestion Federated Creds | (Application) GroupMember.Read.All, User.Read, Sites.FullControl.All ou Sites.Selected, User.ReadBasic.All | (Application) Sites.FullControl.All ou Sites.Selected |
| Data Ingestion OAuth 2.0 | (Application) GroupMember.Read.All, User.Read, User.Read.All, Sites.FullControl.All ou Sites.Selected | (Delegated) AllSites.FullControl ou Sites.Selected |
| Actions | (Application) Sites.ReadWrite.All, Files.ReadWrite.All, Sites.Manage.All | (Delegated) AllSites.Write |
Permissions for OneDrive
| Operation Mode | Microsoft Graph API (Application) | Microsoft Graph API (Delegated) |
|---|---|---|
| Federated Search | None | Files.Read.All, Sites.Read.All, User.Read.All |
| Data Ingestion OAuth 2.0 | Files.Read.All, Group.Read.All, GroupMember.Read.All, Sites.FullControl.All ou Sites.Selected | User.Read |
| Data Ingestion Federated Creds | User.Read.All | User.ReadBasic.All |
| Actions | None | Files.ReadWrite.AppFolder, Files.ReadWrite |
Crawling and Indexing
With permissions granted, configure the crawling schedule in Agentspace. It is recommended to start with a manual sync to validate the ingestion. Sync times will vary depending on the volume of documents in the institution's SharePoint and OneDrive.
Security and LGPD Checklist
Before releasing the agent to the educational institution’s end users, the IT team must validate privacy and compliance controls. Google Cloud provides strict contractual guarantees regarding the processing of enterprise data.
🔧 AI Training
Under the terms of the Data Processing Addendum (DPA) of Google Cloud, prompts and enterprise data processed by Gemini Enterprise are not used to train AI models.
🔧 Data Retention
Data requested for deletion by the user is removed from Google's systems within 60 days, ensuring the right to be forgotten on demand.
🔧 DPIA Assessment
The institution must evaluate the need for a Data Protection Impact Assessment (DPIA) based on the risk and volume of personal data processed, as guided by the LGPD.
FAQ
Does Gemini Enterprise have a data region in Brazil (sa-east1)? There is no documented Brazilian region for these connectors. The supported regions for Agentspace configuration are global, us, and eu.
Is the educational institution’s data used to train Google’s models? No. Under the terms of the Google Cloud Data Processing Addendum (DPA), prompts and enterprise data processed by Gemini Enterprise are not used to train AI models.
What is the retention period for data indexed in Gemini Enterprise? Data requested for deletion by the user is removed from Google’s systems within 60 days, acting as an on-demand deletion.
Ready to scale AI in your institution?
Speak with our architects to review your security configurations and ensure the success of your educational project.