Allow only certain external connections for Apps Script and Sheets

Supported editions for this feature: Business Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials PlusCompare your edition

As an administrator, you can control which external domains your users can access through Apps Script and Sheets. By default, Apps Script scripts and Google Sheets functions can send or fetch data using any URL. By creating a list of allowed URLs and blocking all others, you can help make your organization’s data more secure.

Step 1. Review current URL activity

Before you turn on your allowlist, review which URLs Apps Script and Sheets are using in the Drive event log to determine which are appropriate for your organization. The following steps describe how to review Drive log events in the Audit and investigation tool, but if your edition supports it you can use the Security investigation tool with a similar approach.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenAudit and investigationand thenDrive log events.
  3. Click Condition builderand thenAdd Condition.
  4. For the attribute, select Event.
  5. For the event to match, select URL Accessed.
  6. Click Add Condition.
  7. For the attribute, select Event.
  8. For the event to match, select Sheets Import URL.
  9. At the top of the condition builder, change the condition operator from And to Or.
  10. Click Search. The results table shows all URL access events for the last 6 months, including the URL that was accessed.
  11. To export the list of events and review the URLs outside the admin console:
    1. At the top of the results table, click Export all.
    2. Enter a name for the export.
    3. Click Export. When the export completes, it’s listed under Export action results below the table.
    4. Click the name of your export. It opens in Google Sheets.

Step 2. Add URLs to your allowlist

Before you block importing and fetching from all URLs, add the appropriate URLs you identified in Step 1 to your allowlist so that workflows that use them aren’t blocked.

Before you begin: If needed, learn how to apply the setting to a department or group.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docsand thenFeatures and Applications.

  3. Click Importing and fetching from URLs.
  4. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  5. Under the option Allow importing and fetching only from the following URLs, add the URLs you want to allow:
    1. Click Enter item.
    2. Enter the URL you want to allow. Note:
      • You can enter the URL with or without a protocol. For example, when you enter any of https://www.example.com, http://www.example.com, or www.example.com, all three versions are allowed. Protocols other than https:// and http://, such as ftp://www.example.com, aren’t supported.
      • The URL matches that URL and its paths. For example:
        • www.example.com allows access to www.example.com, www.example.com/home, and www.example.com/contact.
        • www.example.com/home allows access to www.example.com/home and www.example.com/home/page, but not www.example.com, www.example.com/home2, or www.example.com/contact.
      • You can use one wildcard (*) character to match subdomains. For example, https://*.example.com allows access to https://subdomain1.example.com and https://subdomain2.example.com, but not https://example.com.
    3. Click Add.
    4. Repeat for additional URLs. You can add up to 1000 URLs.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Step 3. Turn on your URL allowlist

Important: Add URLs to your allowlist before you allow only importing and fetching from those URLs. Otherwise, your organization’s workflows could be disrupted. You might want to communicate with your users before you change the setting. After you allow only certain URLs, Sheets and Apps Script return an error for functions that access URLs that aren’t on the allowlist.

Before you begin: If needed, learn how to apply the setting to a department or group.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docsand thenFeatures and Applications.

  3. Click Importing and fetching from URLs.
  4. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  5. Select Allow importing and fetching only from the following URLs.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
12586121744188043572
true
Search Help Center
true
true
true
true
true
73010
false
false