Search
Clear search
Close search
Google apps
Main menu

Whitelisting connected apps

Manage OAuth based access to connected apps

As a super administrator, if you don't want to share sensitive Drive or Gmail content outside your company domain through third party OAuth apps, you revoke OAuth access tokens. Now you can also whitelist applications. First, limit which G Suite API scopes can be accessed by third party apps. Next, use the settings under Security and then G Suite API Permissions to create whitelists that define which specific apps can access blocked scopes.

Step 1. Review third-party apps access to API scopes
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. Click G Suite API Permissions.
  4. As an admin, you can examine API access for these core services:
    • Gmail
    • Drive
    • Calendar
    • Contacts
    • Google Vault
    • G Suite Admin
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing
  5. Click the Apps link to confirm which apps can currently access the core service. You can filter your installed apps by API permissions, name, or by number of users.
  6. Review these apps before proceeding to the next section to create your whitelist.
Step 2. Create a whitelist of trusted apps
  1. From the Admin console dashboard, go to Security and then G Suite API Permissions.
  2. Click the Trusted Apps link.
  3. Click Whitelist an app Add 
    The Add App To Trusted List window opens
  4. In the Select App Type list, select an option:
    • Android
    • iOS
    • Web applications—requires you to fill in the OAuth2 client ID.
  5. For Android or iOS, type an app name, then click Search to display a list of available apps.
  6. Move the scrollbar down to view additional apps.
  7. Once the entire app list is displayed, use Ctrl + f or ⌘ + f (Mac) to search for all or part of an app name.
  8. Check the box next to the app you want to add, then click Add.

Trust domain-owned apps

As an admin, you can trust domain-owned apps, which include:

  • Any Google Apps Script projects created by users within the domain
  • Apps associated to the organization in the Google Cloud Platform Console owned by the domain

To trust domain-owned apps, check the Trust domain-owned apps box and click Save

Note: If you disable trust domain-owned apps, internal apps won't have access to the restricted G Suite APIs. 

Step 3. Block specific API scopes
  1. From the Admin console dashboard, go to Security and then G Suite API Permissions.
  2. As an admin, you can block API access for these core services:
    • Gmail
    • Drive
    • Calendar
    • Contacts
    • Google Vault
    • G Suite Admin
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing. 
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing
  3. Click the Apps link to confirm which apps will be affected before blocking API access. if you revoke an app's access, it takes up to 24 hours for an app to disappear from the list. 
  4. Select the Disable radio button to remove API access.
  5. For Gmail and Drive APIs, use the drop-down list to disable all access or only high risk access. High risk access includes allowing an application to send emails on a user's behalf or allowing access to sensitive data.

Note: If you disable API access:

  • Any already installed apps will stop working after blocking the scopes and tokens will be revoked.
  • When a user tries to install an app that has blacklisted scope they'll see an error message:

    Access to your account data is restricted by policies within your organization. Please contact the administrator for more information. 

Step 4. Remove apps from a whitelist
  1. From the Admin console dashboard, go to Security and then G Suite API Permissions.
  2. Click the Trusted Apps link.
  3. Click Action menu next to the app you want to remove from whitelisting, and select Remove.
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.