Search
Clear search
Close search
Google apps
Main menu

Whitelisting connected apps

Manage OAuth based access to connected apps

As a super administrator, if you don't want to share sensitive Drive or Gmail content outside your company domain through third party OAuth apps, you revoke OAuth access tokens. Now you can also whitelist applications. First, limit which G Suite API scopes can be accessed by third party apps. Next, use the settings under Security > G Suite API Permissions to create whitelists that define which specific apps can access blocked scopes.

Step 1. Review third-party apps access to API scopes
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. Click Show more.
  4. Click G Suite API Permissions.
  5. As an admin you can examine API access for these core services:
    • Gmail
    • Drive
    • Calendar
    • Contacts

      The links to the right display all apps that can currently access the applicable core service. If you revoke an app's access, it takes up to 24 hours to disappear from the list.  
  6. Review these apps before proceeding to the next section to create your whitelist. You can filter your installed apps by API permissions, name, or by number of users.
Step 2. Create a whitelist of trusted apps
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. Click Show more.
  4. Click G Suite API Permissions.
  5. Click the Trusted Apps link.
  6. Click Add to whitelist an app.
    The Add App To Trusted List window opens
  7. In the Select App Type list, select an option:
    • Android
    • iOS
    • Web applications
      Web applications require that you fill in the OAuth2 client ID.
  8. For Android or iOS, type an app name, then click Search to display a list of available apps.
  9. Move the scrollbar down to view additional apps.
  10. Once the entire app list is displayed, use Ctrl + f or ⌘ + f (Mac) to search for all or part of an app name.
  11. Check the box next to the app you want to add, then click Add.

Trust domain-owned apps

As an admin you can trust domain-owned apps, which include:

  • Any Google App Script projects created by users within the domain
  • Apps associated to the organization in the Google Cloud Platform Console owned by the domain

Note: If you disable trust domain-owned apps, internal apps won't have access to the restricted G Suite APIs. They'll stop working even if the specific app is not domain-owned.

Step 3. Block specific API scopes
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. Click Show more.
  4. Click G Suite API Permissions.
  5. As an admin you can block API access for these core services:
    • Gmail
    • Drive
    • Calendar
    • Contacts

      The links to the right display all apps that can currently access the applicable core service. When you revoke an app's access, it takes up to 24 hours to disappear from the list.
  6. Click the appropriate link to confirm which apps will be affected before blocking API access.
  7. Select the Disable radio button to remove API access or to selectively disable high risk access for Gmail and Drive APIs. High risk access includes allowing an application to send emails on a user's behalf or allow access to sensitive data.
    Any already installed apps will stop working after blocking the scopes and tokens will be revoked.
     
    When a user tries to install an app that has blacklisted scope they'll see this error message:

    Access to your account data is restricted by policies within your organization.
    Please contact the administrator for domain-name for more information. 
Step 4. Remove apps from a whitelist
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. Click Show more.
  4. Click G Suite API Permissions.
  5. Click the Trusted tab.
  6. Click Action menu next to the app you want to remove from whitelisting, and select Remove.
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.