Error "access.api.error.failed_to_load_group (Code: 11020)" when adding G Suite groups to Access policy

I’m seeing error “access.api.error.failed_to_load_group (Code: 11020)” when adding G Suite groups to an Access policy. Is there a specification of what attributes a group must contain in order to be available to Access policies?

Just tried this myself and I had the same issue. I was able to fix it by enabling the APIs “Admin SDK” and “Groups Settings API” in Google Cloud Console.

Let me know if this works.

The “Admin SDK” API was already enabled on the project that owns the applicable Client ID, but “Groups Settings” was not. I enabled it, but am still receiving the same error. Is there a way to see the API calls that are being made (and their specific response codes)?

Also, the identity provider configuration guide doesn’t mention needing the “Groups Settings” API and doesn’t mention adding any related scopes for domain-wide delegation. Is the documentation out-of-date?

I didn’t need to add domain-wide delegation, although this was set as an “internal” app for my organization so that might change things.

Also, I might have been wrong about that being the fix. I don’t see any API requests to admin or group API.

My only other suggestion would be to click the IDP and run the setup again, doing the “test” where it ensures that the oauth flow is set up; that might cache the list of groups or something of the sorts.