Control which third-party & internal apps access Google Workspace data

To manage mobile apps for your organization, go here instead.

When users sign in to third-party apps using the "Sign in with Google" option (single sign-on), you can control how those apps access your organization’s Google data. You use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0. Some apps use OAuth 2.0 scopes—a mechanism to limit access to a user's account. 

You can also customize the message that users see when they try to install an unauthorized app. 

Note: For Google Workspace for Education, additional restrictions might prevent users in primary and secondary institutions from accessing certain third-party apps.

Before you begin: Review third-party apps for your organization

In App access control, you can review the following third-party apps:

  • Configured apps—Apps configured with an access setting (trusted, limited or blocked)
  • Accessed apps—Apps used by users that have accessed Google data
  • Apps pending review (Education editions)—Apps that users under 18 requested access to

Details about third-party apps typically appear 24–48 hours after authorization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Third-Party App Access to view your configured apps. To filter the app list, click Add a filter and select an option.

    The app list shows app name, type, and ID, as well as the following information for each app:

    • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Many well-known apps might not be verified in this way. For more details, go to What is a verified third-party app?
    • Access—Which organizational units have a configured access policy for the app. Point to an app and click View details to see the access levels (Trusted, Limited, or Blocked). Click Change access to change the app's data access level
  4. To view accessed apps, in the Accessed apps section, click View list.

    For Accessed apps, you can also review:

    • Users—Number of users accessing the app.
    • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Google Calendar, or Google Drive). Non-Google requested services are listed as Other.
  5. From the Configured apps or Accessed apps list, click an app to do the following:
    • Manage whether your app can access Google services—Whether the app is marked as Trusted, Limited, or Blocked. If you change the access configuration, click Save.
    • View information about the app—The full OAuth2 client ID of the app, the number of users, the privacy policy, and the support information.
    • View the Google service APIs (OAuth scopes) that the app is requesting—A list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, expand the table row or click Expand All
  6. (Optional) To download the app information into a CSV file, at the top of the Configured apps or Accessed apps list, click Download list.
    • All data in the table is downloaded (including data you don’t have displayed).
    • For configured apps, the CSV file has these additional columns: Verification status, Number of users, Org unit, Requested services, and API scopes associated with each service. If a configured app hasn't been accessed, its user count is zero (0) and the other 2 columns are blank.
    • For accessed apps, the CSV file has these additional columns: Verification status, Org unit, and API scopes associated with each service.

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users might be blocked from activating unverified apps that you don’t trust (see details on trusting apps later on this page). For more information, go to Authorize unverified third-party apps.

Restrict or unrestrict Google services

You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services such as Machine Learning. Here's what each option means:

  • Restricted: Only apps configured with a trusted access setting can access data.
  • Unrestricted: Apps configured with a trusted or limited access setting can access data.

For example, if you set Calendar access as restricted, only apps configured with a trusted access setting can access Calendar data. Apps with a limited access setting can't access Calendar data. 

Note: For Gmail and Google Drive, you can specifically restrict access to high-risk services, for example, sending mail or deleting files in Drive.  

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Google Services.
  4. From the list of services, check the boxes next to the services that you want to manage. To check all the boxes, check the Service box. 
  5. (Optional) To filter this list, click Add a filter and select from the following criteria:
    • Google services—Select from the list of services and click Apply.
    • Google services access—Select Unrestricted or Restricted and click Apply.
    • Allowed apps—Specify a range for the number of allowed apps and click Apply.
    • Users—Specify a range for the number of users and click Apply.
  6. At the top, click Change access and choose Unrestricted or Restricted.
    If you change access to Restricted, any previously installed apps that you haven’t trusted stop working and tokens are revoked. If a user tries to install (or sign in to) an app you haven't trusted that accesses a restricted service, they're notified that the app is blocked. Restricting access to the Drive service also restricts access to the Google Forms API.
    Note: The accessed apps list is updated 48 hours after a token is granted or revoked.
  7. (Optional) If you chose Restricted, to allow access to OAuth scopes that aren’t classified as high-risk (for example, scopes that allow apps to access user-selected files in Drive), check the For apps that are not trusted, allow users to give access to OAuth scopes that aren’t classified as high-risk box. (This box appears for apps such as Gmail and Drive, but not for all apps.)
  8. Click Change and confirm, if needed.
  9. (Optional) To review which apps have access to a service: 
    1. At the top, for Accessed apps, click View list.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking and click Apply.

Restrict access to high-risk OAuth scopes

Gmail, Drive, and Google Chat can also restrict access to a predefined list of high-risk OAuth scopes.

Gmail high-risk OAuth scopes
  • https://mail.google.com/
  • https://www.googleapis.com/auth/gmail.compose
  • https://www.googleapis.com/auth/gmail.insert
  • https://www.googleapis.com/auth/gmail.metadata
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.settings.basic
  • https://www.googleapis.com/auth/gmail.settings.sharing

For details about Gmail scopes, go to Choose Gmail API Scopes.

Drive high-risk OAuth scopes
  • https://www.googleapis.com/auth/drive
  • https://www.googleapis.com/auth/drive.apps.readonly
  • https://www.googleapis.com/auth/drive.metadata
  • https://www.googleapis.com/auth/drive.metadata.readonly
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/drive.scripts
  • https://www.googleapis.com/auth/documents

For details about Drive scopes, go to Choose Google Drive API scopes.

Chat high-risk OAuth scopes
  • https://www.googleapis.com/auth/chat.delete
  • https://www.googleapis.com/auth/chat.import
  • https://www.googleapis.com/auth/chat.messages
  • https://www.googleapis.com/auth/chat.messages.readonly

For details about Chat scopes, go to Chat API scopes.

Manage third-party app access to Google services & add apps

You can manage access to certain apps by blocking those apps, or marking them as trusted or limited. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services. You can allowlist apps configured using OAuth client IDs to maintain Application Programming Interface (API) access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access. A limited app can only access unrestricted services. You can change an app’s data access setting from the apps list or from the app information page.

Change access from the app list

  1. In API controls and thenApp access control, click Manage Third-Party App Access.

  2. In either the configured app list or accessed app list, hover over an app and click Change access. Or, check the boxes next to multiple apps and at the top of the list, click Change access.  
  3. Select what OUs to configure access for:
    • To apply the setting to all users, leave the top-level organization unit selected.
    • To apply to specific organizational units, click Select org unitsand thenInclude organizations, then select specific organizational units.
  4. Click Next
  5. Choose an option:
    • Trusted—App can access all Google services (both restricted and unrestricted). Google-owned apps, such as Chrome browser, are automatically trusted and can't be configured as trusted apps. 
      (Optional) To have the selected apps maintain API access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access, select Allowlist for exemption from API access blocks in context-aware access. This option is only selectable for web, Android, or iOS apps added using OAuth client IDs. Selecting this option will not automatically exempt the app from API access blocks. You also need to exempt the app during Context-Aware Access level assignments. This allowlist applies only for the organizational units you specify in step 3 (earlier on this page).
    • Limited—Can access only unrestricted Google services.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.
  6. Click Next
  7. Review the scope and access setting, then click Change access
Change access from the app information page
  1. Click an app in the list, then Access to Google data.
  2. At the left, click the group or organizational unit you want to set data access for. By default, the top organizational unit is selected and the change applies to your entire organization.
  3. Choose a data access level.
  4. Click Save.
  5. (Optional) Apply different settings for different org units as required. For example:
    • To block an app's access to all your users' data, select your top org unit and choose Blocked.
    • To block app access to only some users' data, set access to Trusted for the top organizational unit, and Blocked for a child organizational unit containing those users. (Click Save after each org unit setting.)
Add a new app
  1. In App access control, click Manage Third-Party App Access.
  2. For Configured apps, click Add app.
  3. Choose OAuth App Name or Client ID (select this option to later allowlist the app from API exemption), Android, or IOS.
  4. Enter the app's name or client ID and click Search.
  5. Point to the app and click Select.
  6. Check the boxes for the client IDs that you want to configure and click Select.
  7. Select who to configure access for:
    1. By default, the top organizational unit is selected. Leave this selected to set access for all users in your organization.
    2. To configure access for specific organizational units, click Select org units, then click + to view your organizational units. Check the desired organizational units, then click Select.
  8. Click Continue.
  9. Choose an option:
    • Trusted—App can access all Google services (both restricted and unrestricted).
      (Optional) To have the selected apps maintain API access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access, select Allowlist for exemption from API access blocks in context-aware access. This option is only selectable for web, Android, or iOS apps added using OAuth client IDs. Selecting this option will not automatically exempt the app from API access blocks. You also need to exempt the app during Context-Aware Access level assignments. This allowlist applies only for the organizational units you specify in step 7. 
    • Limited—Can access only unrestricted Google services.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist..
  10. Review settings for the new app, then click Finish.

Users are prompted to consent to add web apps, but in the Google Workspace Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

Choose settings for unconfigured apps

Third-party apps that you haven't configured as trusted, limited, or blocked (as described in the preceding section, Manage third-party app access to Google services & add apps) are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google Account. 

Find the settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Settings and select your settings. Learn about the settings in the following section.
  4. Click Save

Changes can take up to 24 hours but typically happen more quickly. Learn more

Unconfigured app settings

Custom user message

This is a custom message to show to users when they can't access a blocked app. To create a custom message, select On and enter a message. 

If the custom message is off or can't be shown, users see a default message instead.

Unconfigured third-party apps

This setting controls what happens when users try to sign in to unconfigured apps with their Google Account. Users can still access apps that are configured with Trusted or Limited access, regardless of this setting. 

Choose an option:

  • Allow users to access any third-party apps (default)—Users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.
  • Allow users to access third-party apps that only request basic info needed for Sign in with Google—Users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. For more information, go to Use your Google Account to sign in to other apps or services.
  • Don’t allow users to access any third-party apps—Users can't sign in with Google to any third-party apps and websites until you configure those apps and sites with an access setting. For details, go to the previous section, Manage third-party app access to Google services & add apps.

Google Workspace for Education editions: You can choose different settings for users who are over and under 18 years old. If you use this setting to block third-party apps, you can allow users who are under 18 years old to request access to those apps that are blocked with the User requests to access unconfigured apps setting.

Internal apps

This allows internal apps built by your organization to access restricted Google Workspace APIs. 

To allow API access for all internal apps, check the Trust internal apps box.

User requests to access unconfigured apps

This feature is available only with Google Workspace for Education editions.

This allows users who are under 18 years old to request access to apps that are blocked with the Unconfigured third-party apps setting.

When a user requests access to an app, admins are notified and can choose to configure an access setting that allows users access to apps. 

To allow users to request access, check the Allow users to request access to unconfigured third-party apps box.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
12970014255316538608
true
Search Help Center
true
true
true
true
true
73010