Control which third-party & internal apps access Google Workspace data

To manage mobile apps for your organization, go here instead.

When users sign in to third-party apps using the "Sign in with Google" option (single sign-on), you can control how those apps access your organization’s Google data. Use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0. Some apps use OAuth 2.0 scopes—a mechanism to limit access to a user's account. 

You can also customize the message that users see when they try to install an unauthorized app. 

Note: For Google Workspace for Education, additional restrictions might prevent users in primary and secondary institutions from accessing certain third-party apps.

Before you begin: Review third-party apps for your organization

In App access control, you can review the following third-party apps:

  • Configured apps—Apps configured with an access setting (Trusted, Limited, Specific Google data, or Blocked).
  • Accessed apps—Apps used by users who have accessed Google data.
  • Apps pending review (Education editions)—Apps that users under 18 have requested access to.

Details about third-party apps typically appear 24–48 hours after authorization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Third-Party App Access to view your configured apps. To filter the app list, click Add a filter and select an option.

    The app list shows app name, type, and ID, as well as the following information for each app:

    • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Many well-known apps might not be verified in this way. For more details, go to What is a verified third-party app?
    • Access—Shows which organizational units have a configured access policy for the app. Point to an app and click View details to see the access levels (Trusted, Limited, Specific Google data, or Blocked). Click Change access to change the app's data access level

      Note: If you apply access level “A” to a specific organizational unit, and then apply access level “B” to the entire organization, access level “A” remains in effect for the organizational unit.

  4. To see accessed apps, in the Accessed apps section, click View list.

    For Accessed apps, you can also review:

    • Users—Number of users accessing the app.
    • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Google Calendar, or Google Drive). Non-Google requested services are listed as Other.
  5. From the Configured apps or Accessed apps list, click an app to access the following:
    • Manage whether your app can access Google services—Shows whether the app is marked as Trusted, Limited, Specific Google data, or Blocked. If you change the access configuration, click Save.
    • View information about the app—Shows the full OAuth2 client ID of the app, the number of users, the privacy policy, and the support information.
    • View the Google service APIs (OAuth scopes) that the app is requesting—Provides a list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, expand the table row or click Expand All
  6. (Optional) To download the app information into a CSV file, at the top of the Configured apps or Accessed apps list, click Download list.
    • All data in the table is downloaded (including data you don’t have displayed).
    • For configured apps, the CSV file includes these additional columns: Verification status, Number of users, Org unit, Requested services, and API scopes associated with each service. If a configured app hasn't been accessed, its user count is zero (0), and the other 2 columns are blank.
    • For accessed apps, the CSV file has these additional columns: Verification status, Org unit, and API scopes associated with each service.

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users might be blocked from activating unverified apps that you don’t trust (see details on trusting apps later on this page). For more information, go to Authorize unverified third-party apps.

Restrict or unrestrict Google services

You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services, such as Machine Learning. Here's what each option means:

  • Restricted—Only apps configured with a Trusted access setting can access data.
  • Unrestricted—Only apps configured with a Trusted, Limited, or Specific Google data access setting can access the scopes configured by an admin, regardless of whether the scope has restricted or unrestricted data access.

For example, if you set Calendar access as Restricted, only apps configured with a Trusted access setting can access Calendar data. Apps with a Limited access setting can't access Calendar data. 

Note: For Gmail, Google Drive, and Google Chat, you can specifically restrict access to high-risk services (for example, sending mail or deleting files in Drive). 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Google Services.
  4. From the list of services, check the boxes next to the services that you want to manage. To check all the boxes, check the Service box. 
  5. (Optional) To filter this list, click Add a filter and select from the following criteria:
    • Google services—Select from the list of services, then click Apply.
    • Google services access—Select Unrestricted or Restricted, then click Apply.
    • Allowed apps—Specify a range for the number of allowed apps, then click Apply.
    • Users—Specify a range for the number of users, then click Apply.
  6. At the top, click Change access and choose Unrestricted or Restricted.
    If you change access to Restricted, any previously installed apps that you haven’t trusted stop working, and tokens are revoked. If a user tries to install (or sign in to) an app you haven't trusted that accesses a restricted service, they're notified that the app is blocked. Restricting access to the Drive service also restricts access to the Google Forms API.
    Note: The accessed apps list is updated 48 hours after a token is granted or revoked.
  7. (Optional) If you chose Restricted, to allow access to OAuth scopes that aren’t classified as high risk (for example, scopes that allow apps to access user-selected files in Drive), check the For apps that are not trusted, allow users to give access to OAuth scopes that aren’t classified as high-risk box. (This box appears for such apps as Gmail and Drive, but not for all apps.)
  8. Click Change and confirm, if needed.
  9. (Optional) To review which apps have access to a service: 
    1. At the top, for Accessed apps, click View list.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking and click Apply.

Restrict access to high-risk OAuth scopes

Gmail, Google Drive, and Google Chat can also restrict access to a predefined list of high-risk OAuth scopes.

Gmail high-risk OAuth scopes
  • https://mail.google.com/
  • https://www.googleapis.com/auth/gmail.compose
  • https://www.googleapis.com/auth/gmail.insert
  • https://www.googleapis.com/auth/gmail.metadata
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.settings.basic
  • https://www.googleapis.com/auth/gmail.settings.sharing

For details about Gmail scopes, go to Choose Gmail API Scopes.

Drive high-risk OAuth scopes
  • https://www.googleapis.com/auth/drive
  • https://www.googleapis.com/auth/drive.apps.readonly
  • https://www.googleapis.com/auth/drive.metadata
  • https://www.googleapis.com/auth/drive.metadata.readonly
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/drive.scripts
  • https://www.googleapis.com/auth/documents

For details about Drive scopes, go to Choose Google Drive API scopes.

Chat high-risk OAuth scopes
  • https://www.googleapis.com/auth/chat.delete
  • https://www.googleapis.com/auth/chat.import
  • https://www.googleapis.com/auth/chat.messages
  • https://www.googleapis.com/auth/chat.messages.readonly

For details about Chat scopes, go to Chat API scopes.

Manage third-party app access to Google services & add apps

You can manage access to certain apps by blocking those apps or marking them as Trusted, Specific Google data, or Limited:

  • Trusted—App has access to all Google Workspace services (OAuth scopes), including restricted services. You can allowlist apps configured using OAuth client IDs to maintain Application Programming Interface (API) access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access.
  • Specific Google data—Can request data access only to scopes that you specify when configuring the app.
  • Limited— App can only access unrestricted services. You can change an app’s data access setting from the apps list or from the app information page.
Change access from the app list
  1. In API controls and thenApp access control, click Manage Third-Party App Access.

  2. In either the configured app list or accessed app list, point to an app and click Change access. Or check the boxes next to multiple apps and click Change access at the top of the list. 
  3. Select the organizational units to configure access for:
    • To apply the setting to all users, leave the top-level organizational unit selected.
    • To apply to specific organizational units, click Select org unitsand thenInclude organizations, then select specific organizational units.
  4. Click Next
  5. Choose an option:
    • Trusted—Can access all Google services (both restricted and unrestricted). Google-owned apps, such as Chrome browser, are automatically trusted and can't be configured as trusted apps. 
      (Optional) To have the selected apps maintain API access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access, select Allowlist for exemption from API access blocks in context-aware access. This option is only selectable for web, Android, or iOS apps added using OAuth client IDs. Selecting this option will not automatically exempt the app from API access blocks. You also need to exempt the app during Context-Aware Access level assignments. This allowlist applies only for the organizational units you specify in step 3.
    • Limited—Can access only unrestricted Google services.
    • Specific Google data—Can request data access only to scopes that you specify when configuring the app.
      Note: You must include the Google Sign-in scopes required by the app to allow users to sign in with their Google Account.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.

    Tip: To unconfigure an app, use the CSV upload option described in Add & configure third-party apps in bulk.

  6. Click Next
  7. Review the scope and access setting, then click Change access
Change access from the app information page

Watch the video

Change access from the app information page

Change app access

  1. Click an app in the list, then Access to Google data.
  2. Click the group or organizational unit you want to set data access for. By default, the top organizational unit is selected, and the change applies to your entire organization.
  3. Choose a data access level.
  4. Click Save.
  5. (Optional) Apply different settings for different org units as required. For example:
    • To block an app's access to all your users' data, select your top org unit and choose Blocked.
    • To block app access to only some users' data, set access to Trusted for the top organizational unit and Blocked for a child organizational unit containing those users. (Click Save after each org unit setting.)
Add a new app
  1. In App access control, click Manage Third-Party App Access.
  2. For Configured apps, click Add app.
  3. Choose OAuth App Name or Client ID (select this option to later allowlist the app from API exemption), Android, or IOS.
  4. Enter the app's name or client ID, then click Search.
  5. Point to the app and click Select.
  6. Check the boxes for the client IDs that you want to configure, then click Select.
  7. Select who to configure access for:
    1. By default, the top organizational unit is selected. Leave this selected to set access for all users in your organization.
    2. To configure access for specific organizational units, click Select org units, then click + to view your organizational units. Check the desired organizational units, then click Select.
  8. Click Continue.
  9. Choose an option:
    • Trusted—Can access all Google services (both restricted and unrestricted).
      (Optional) To have the selected apps maintain API access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access, select Allowlist for exemption from API access blocks in context-aware access. This option is only selectable for web, Android, or iOS apps added using OAuth client IDs. Selecting this option will not automatically exempt the app from API access blocks. You also need to exempt the app during Context-Aware Access level assignments. This allowlist applies only for the organizational units you specify in step 7. 
    • Limited—Can only access unrestricted Google services.
    • Specific Google data—Can request data access only to scopes that you specify when configuring the app.
      Note: You must include the Google Sign-in scopes required by the app to allow users to sign in with their Google Account.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. Blocking the app using API controls overrides the placement on the allowlist.
  10. Review settings for the new app, then click Finish.

Users are prompted to consent to add web apps. You can bypass the consent screen in the Google Workspace Marketplace (for approved apps only) through domain installation.

Choose settings for unconfigured apps

Third-party apps that you haven't configured as Trusted, Limited, Specific Google data, or Blocked (as described in Manage third-party app access to Google services & add apps) are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google Account. 

Watch the video

Find the settings for unconfigured apps

Find the settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Settings to expand the settings group.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Select your settings. Go to Unconfigured app settings to learn more.
  6. Click Save

Changes can take up to 24 hours but typically happen more quickly. Learn more

Unconfigured app settings

Custom user message

This is a custom message to show to users when they can't access a blocked app. To create a custom message, select On and enter a message. 

If the custom message is off or can't be shown, users see a default message instead.

Unconfigured third-party apps

This setting controls what happens when users try to sign in to unconfigured apps with their Google Account. Users can still access apps that are configured with Trusted, Limited, or Specific Google data access, regardless of this setting. 

Choose an option:

  • Allow users to access any third-party apps (default)—Users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.
  • Allow users to access third-party apps that only request basic info needed for Sign in with Google—Users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. For more information, go to Use your Google Account to sign in to other apps or services.
  • Don’t allow users to access any third-party apps—Users can't sign in with Google to any third-party apps and websites until you configure those apps and sites with an access setting. For details, go to Manage third-party app access to Google services & add apps.

Google Workspace for Education editions: You can choose different settings for users who are over and under 18 years old. If you use this setting to block third-party apps, you can allow users who are under 18 years old to request access to blocked apps with the User requests to access unconfigured apps setting.

Internal apps

This allows internal apps built by your organization to access restricted Google Workspace APIs. 

To allow API access for all internal apps, check the Trust internal apps box.

User requests to access unconfigured apps

This feature is available only with Google Workspace for Education editions.

This allows users who are under 18 years old to request access to blocked apps with the Unconfigured third-party apps setting.

When a user requests access to an app, admins are notified and can choose to configure an access setting that allows users access to apps. 

To allow users to request access, check the Allow users to request access to unconfigured third-party apps box.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
5961761030122341466
true
Search Help Center
true
true
true
true
true
73010
false
false