Control which third-party & internal apps access Google Workspace data

To manage mobile apps for your organization, go here instead.

When users sign in to third-party apps using the "Sign in with Google" option (single sign-on), you can control how those third-party apps access your organization’s Google data. You use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0. Some apps use OAuth 2.0 scopes—a mechanism to limit access to a user's account. 

You can also customize the error message users see when they try to install an unauthorized app. 

Note: For Google Workspace for Education, additional restrictions might prevent users in primary and secondary institutions from accessing certain third-party apps.

Control app access to Google data

Expand all  |  Collapse all

Before you begin: Review third-party apps for your organization

In App access control, you can review the following:

  • Configured apps— Third-party apps configured with an access setting (trusted, limited or blocked). 
  • Accessed apps— Third-party apps used by users that have accessed Google data.
  • Apps pending review (Education editions only)—Third-party apps that users under 18 have requested access to.

Details about third-party apps typically appear 24–48 hours after authorization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Third-Party App Access to view your configured apps. To filter the app list, click Add a filter and select an option.

    The app list shows app name, type, and ID, as well as the following information for each app:

    • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Many well-known apps might not be verified in this way. For more details, go to What is a verified third-party app?
    • Access—Which organizational units have a configured access policy for the app. Hover over an app in the list and click View details at right to see the specific OUs and the access level assigned to each OU (Trusted, Limited, or Blocked). Click Change access to change the app's data access level
  4. To view accessed apps, in the Accessed apps section, click View list.

    For Accessed apps, you can also review:

    • Users—Number of users accessing the app.
    • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Google Calendar, or Google Drive). Non-Google requested services are listed as Other.
  5. From the Configured apps or Accessed apps list, click an app to:
    • Manage whether your app can access Google services—Review whether the app is marked as Trusted, Limited, or Blocked. If you change the access configuration, click Save.
    • View information about the app—View the full OAuth2 client ID of the app, number of users, privacy policy, and support information.
    • View the Google service APIs (OAuth scopes) that the app is requesting—View a list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, expand the table row or click Expand All
  6. (Optional) To download the app information into a CSV file, at the top of the Configured apps or Accessed apps list, click Download list.
    • All data in the table is downloaded (including data you don’t have displayed).
    • For Configured apps, the CSV file contains additional columns that aren't visible in the table: Number of users, Requested services, and API scopes associated with each service. If a configured app hasn't been accessed, the user count for that app will show zero (0) and the other 2 columns will be blank.

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users may be blocked from activating unverified apps that you don’t trust (see details on trusting apps below on this page). For more information on app verification, go to Authorize unverified third-party apps.

Restrict or unrestrict Google services

You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services, such as Machine Learning. Here's what each option means:

  • Restricted: Only apps configured with a trusted access setting can access data for this service.
  • Unrestricted: Apps configured with a trusted or limited access setting can access data for this service.

For example, if you set Calendar access as restricted, only apps configured with a trusted access setting can access Calendar data. Apps with a limited access setting can't access Calendar data. 

Note: For Gmail and Google Drive, you can specifically restrict access to high-risk services, for example, sending mail or deleting files in Drive.  

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Google Services.
  4. From the list of services, check the boxes next to the services that you want to manage.
    Check the Service box to check all the boxes. 
  5. (Optional) To filter this list, click Add a filter and select from the following criteria:
    • Google services—Select from the list of services, such as Drive or Gmail, and click Apply.
    • Google services access—Select Unrestricted or Restricted and click Apply.
    • Allowed apps—Specify a range for the number of allowed apps and click Apply.
    • Users—Specify a range for the number of users and click Apply.
  6. At the top, click Change access and choose Unrestricted or Restricted.
    If you change access to Restricted, any previously installed apps that you haven’t trusted stop working and tokens are revoked. When a user tries to sign in to an app that has a restricted scope, using their Google account, they’re notified that the app is blocked. Restricting access to the Drive service also restricts access to the Google Forms API.
    Note: The accessed apps list is updated 48 hours after a token is granted or revoked.
  7. (Optional) If you chose Restricted, to allow access to OAuth scopes that aren’t classified as high-risk (for example, scopes that allow apps to access user-selected files in Drive), check the For apps that are not trusted, allow users to give access to OAuth scopes that aren’t classified as high-risk box. (This check box will appear for apps such as Gmail and Drive, but not for all apps.)
  8. Click Change and confirm, if needed.
  9. (Optional) To review which apps have access to a service: 
    1. At the top, for Accessed apps, click View list.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking and click Apply.

Restrict access to high-risk OAuth scopes

Gmail and Drive can also restrict access to a predefined list of high-risk OAuth scopes.

For Gmail, high-risk OAuth scopes are:

  • https://mail.google.com/
  • https://www.googleapis.com/auth/gmail.compose
  • https://www.googleapis.com/auth/gmail.insert
  • https://www.googleapis.com/auth/gmail.metadata
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.settings.basic
  • https://www.googleapis.com/auth/gmail.settings.sharing
    For details about Gmail scopes, go to Choose Auth Scopes.

For Drive, high-risk OAuth scopes are:

  • https://www.googleapis.com/auth/drive
  • https://www.googleapis.com/auth/drive.apps.readonly
  • https://www.googleapis.com/auth/drive.metadata
  • https://www.googleapis.com/auth/drive.metadata.readonly
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/drive.scripts
  • https://www.googleapis.com/auth/documents
    For details about Drive scopes, go to API-specific authorization and authentication information .
Manage third-party app access to Google services & add apps

You can manage access to certain apps by blocking those apps, or marking them as trusted or limited. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services. A limited app can only access unrestricted services. You can change an app’s data access setting from the apps list or from the app information page.

Change access from the app list

  1. In API controls and thenApp access control, click Manage Third-Party App Access.

  2. In either the configured app list or accessed app list, hover over an app and click Change access. Or, check the boxes next to multiple apps and at the top of the list, click Change access.  
  3. Select what OUs to configure access for:
    • To apply the setting to all users, leave the top level organization unit selected.
    • To apply to specific OUs, click Select org unitsand thenInclude organizations, then select specific org units.
  4. Click Next
  5. Choose an option:
    • Trusted—App can access all Google services (both restricted and unrestricted). Google-owned apps, such as Chrome browser, are automatically trusted and can't be configured as trusted apps. 
    • Limited—Can access only unrestricted Google services.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.
  6. Click Next
  7. Review the scope and access setting, then click Change access.

Change access from the app information page

  1. Click an app in the list, then Access to Google data.
  2. At the left, click the group or organizational unit you want to set data access for. By default, the top organizational unit is selected and the change applies to your entire organization.
  3. Choose a data access level.
  4. Click Save.
  5. (Optional) Apply different settings for different org units as required. For example:
    • To block an app's access to all your users' data, select your top org unit and choose Blocked.
    • To block data access only to some users, set access to Trusted for the top organizational unit, and Blocked for a child organization unit containing those users. (Click Save after each org unit setting.)

Add a new app

  1. In App access control, click Manage Third-Party App Access.
  2. For Configured apps, click Add app.
  3. Choose OAuth App Name or Client ID, Android, or IOS.
  4. Enter the app's name or client ID and click Search.
  5. Point to the app and click Select.
  6. Check the boxes for the client IDs that you want to configure and click Select.
  7. Select who to configure access for:
    1. By default, the top organizational unit is selected. Leave this selected to set access for all users in your organization.
    2. To configure access for specific org units, click Select org units, then click + to view your org units. Check the desired org units, then click Select.
  8. Click Continue.
  9. Select Trusted, Limited, or Blocked and click Configure.
  10. Review settings for the new app, then click Finish.

Users are prompted to consent to add web apps, but in the Google Workspace Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

Customize the message for apps that users can't access

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click the Settings card.
  4. Click Custom user message.
  5. Turn the custom user message On.
  6. Enter your preferred user message in the message field. 
  7. Click Save.
Select settings for unconfigured apps

Third-party apps that you haven't configured as trusted, limited, or blocked (as described in Manage third-party app access to Google services & add apps above) are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google account.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Settings.
  4. Click Unconfigured third-party apps.
  5. Select an option:
    • Allow users to access any third-party apps (default)—users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.
    • Allow users to access third-party apps that only request basic info needed for Sign in with Google—users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. Learn more about Sign in with Google.
    • Don’t allow users to access any third-party apps—blocks all OAuth scopes, including sign-in scopes. Users can't sign in with Google to any third-party apps and websites until they’re configured with an access setting.
  6. Click Save.

Important: Users will still be able to access apps configured with Trusted or Limited access, regardless of the Unconfigured third-party apps setting.

Settings for unconfigured third-party apps in Google Workspace for Education

Google Workspace for Education customers can make two settings for unconfigured apps: 1) for users over 18; 2) for users under 18. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Settings.
  4. Click Unconfigured third-party apps.
  5. Under Settings for users over 18, select an option:
    • Allow users to access any third-party apps with their account (default)—users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.
    • Allow users to access third-party apps that only request basic info needed for Sign in with Google—users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. Learn more about Sign in with Google.
    • Don’t allow users to access any third-party apps—blocks all OAuth scopes, including sign-in scopes. Users can't sign in with Google to any third-party apps and websites until they’re configured with an access setting.
  6. Under Settings for users under 18, select an option:
    • Don’t allow users to access any third-party apps—blocks all OAuth scopes, including sign-in scopes. Users can't sign in with Google to any third-party apps and websites until they’re configured with an access setting.
    • Allow users to access third-party apps that only request basic info needed for Sign in with Google—users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. Learn more about Sign in with Google.
  7. Click Save.

Let internal apps access restricted Google Workspace APIs

If you build internal apps (owned by your organization), you can trust all apps to access restricted Google Workspace APIs. That way, you don’t have to trust them all individually.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  3. Click Internal apps.
  4. Check the Trust internal apps checkbox.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
' data-mime-type=
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
true
73010