Whitelisting connected apps

Manage OAuth based access to connected apps

As a super administrator, if you don't want to share sensitive Google Drive or Gmail content outside your organization's domain through third-party OAuth apps or add-ons, you revoke OAuth access tokens.

Now you can also disable several API scopes across G Suite services. These include Gmail, Drive, Calendar, and Google Cloud Platform services, such as Machine Learning. You can selectively whitelist third-party applications that can access those scopes.

Disabling an API scope or trusting a third-party application for a G Suite service such as Calendar will include all scopes provided by it. These include  OAuth scopes. Some apps, such as Gmail, provide a greater level of access control for predefined high-risk scopes. 

To whitelist applications, first limit which G Suite API scopes can third-party apps can access. Next, use the API Permissions settings under Security to create whitelists that define which specific apps can access blocked scope.

Steps to take to whitelist app

Step 1. Review third-party app's access to API scopes
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click API Permissions.
  4. Examine API access for any of these core services:
    • G Suite:
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Admin
      • Vault
      • Apps Script runtime–Controls the actions Apps Script projects can perform. Includes App Maker apps, add-ons, and scripts from both inside and outside your domain.
      • Apps Script API–Controls whether clients can use the Apps Script API to manage projects. 
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing
  5. (Optional) You can filter your installed apps by API permissions, name, or by number of users.
  6. Click the Apps link to confirm which apps can currently access the core service.
  7. Review these apps before proceeding to the next section to create your whitelist.
Step 2. Create a whitelist of trusted apps
  1. From the Admin console dashboard, go to Security and then API Permissions.
  2. At the bottom of the list of apps, click the Trusted Apps link.
  3. Click Whitelist an App Add 
    The Add App To Trusted List window opens
  4. In the Select App Type list, select an option:
    • Android
    • iOS
    • Web applications—requires you to fill in the OAuth2 Client ID.
  5. For Android or iOS®, type an app name and click Search to display a list of available apps.
  6. Scroll down to see more apps.
  7. Once the entire app list is displayed, use Ctrl + f or ⌘ + f (Mac) to search for all or part of an app name.
  8. Check the box next to the app you want to add, then click Add.
  9. (Optional) To provide internal apps access to the restricted G Suite APIs:
    1. Navigate back to the Security page.
    2. At the bottom of the page, next to Internal App Settings, check the Trust domain-owned apps box and click Save.

Note: If you disable Trust domain-owned apps, internal apps can’t access the restricted G Suite APIs. Domain-owned apps include:

  • Any Google Apps Script projects created by users within the domain
  • Apps associated with the organization in the Google Cloud Platform Console owned by the domain 
Step 3. Block specific API scopes
  1. From the Admin console dashboard, go to Security and then API Permissions.
  2. Click the Apps link to confirm which apps will be affected.
    If you revoke an app's access, it takes up to 24 hours for an app to disappear from the list.
  3. By clicking the Disable radio button, you can block API access for any of these core services:
    • G Suite:
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Admin
      • Vault
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing

Note: For Gmail and Drive APIs, use the menu to disable all access or only high-risk access. (High-risk access includes allowing an application to send emails on a user's behalf or allowing access to sensitive data).

If you disable API access:

  • After blocking the scopes, any already installed apps will stop working and tokens will be revoked.
  • When a user tries to install an app that has a blacklisted scope, they see this error message:

    Access to your account data is restricted by policies within your organization. Please contact the administrator for more information. 

Step 4. Remove apps from a whitelist
  1. From the Admin console dashboard, go to Security and then API Permissions.
  2. At the bottom of the list of apps, click the Trusted Apps link.
  3. Click Action menu next to the app you want to remove from whitelisting and select Remove.
Was this article helpful?
How can we improve it?