Control which third-party & internal apps access G Suite data

You can control which third-party and domain-owned apps can access sensitive G Suite data. App access control governs access to G Suite services using OAuth 2.0. To facilitate app access, modern, more secure apps use OAuth 2.0 scopes—collections of procedures known as external APIs. These scopes help provide access to limited user data from most G Suite services, such as Gmail and Google Drive, Calendar, and Contacts. Use app access control to: 

  • Restrict access to most G Suite services or leave them unrestricted.
  • Trust specific apps so they can access restricted G Suite services.
  • Trust all domain-owned apps.

The following steps show you how to do this, as well as how to find details about any third-party apps already in use. You can customize the error message users see when they try to install an unauthorized app. 

Note: To manage apps by mobile device operating system (Android or iOS), go to Set up managed apps for Android devices and Recommend and manage iOS apps.

Use app access control

Open all   |   Close all

Review the third-party apps in your environment

Before implementing controls, review the list of apps that your users have authorized to access G Suite data.

Note: Details about third-party apps typically appear in results within 24–48 hours.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then App access control.
    Note: If you don't have the App access control setting, follow the steps to manage apps. The new interface for App access control will be automatically available over the next few weeks.
  3. From the main App access control page, select Manage Third-Party App Access.
  4. To see details about an app, look for it in the app table. 
    Each app entry reveals the: 
    • App name
    • App type
    • Number of users accessing the app
  5. Click an entry. 
    The app details page provides the:
    • G Suite services in use by the app
    • Full OAuth2 client ID of the app
    • Publisher information, including privacy policy and support links
    • If verified, verification status for apps that access certain restricted API scopes

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users may be blocked from activating unverified apps that you don’t trust (see details on trusting apps below). For more information on app verification, see Authorize unverified third-party apps.

Restrict access to Google services

You can restrict (or leave unrestricted) access to most G Suite services, including Google Cloud Platform services such as Machine Learning. For Gmail and Google Drive, you can specifically restrict access to high-risk scopes (for example, sending Gmail or deleting files in Drive). While users are prompted to consent to apps, if an app uses restricted scopes and you haven’t specifically trusted it, users can’t add it. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then App access control.
    Note: If you don't have the App access control setting, follow the steps to manage apps. The new interface for App access control will be automatically available over the next few weeks.
  3. From the main App access control page, select Manage Google Services.
    Google services that you can control include:
    • G Suite:
      • G Suite Admin
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Vault
      • Apps Script runtime
        Controls access to projects that request certain high-risk scopes specific to Apps Script projects—for example, UrlFetch and Container UI. This includes App Maker apps, add-ons, and scripts from both inside and outside your organization. Apps Script runtime control works in tandem with Apps Script API controls, and doesn't supersede them for apps script apps.
      • Apps Script API
        Controls access to any project (for example, Apps Script, GCP, AWS, etc.) that requests scopes for the Apps Script API(for example, Manage Projects and Manage Deployments).

    • Google Cloud Platform:
      • Cloud Platform (Includes all Google Cloud Platform services, except Machine Learning and Cloud Billing.)
      • Machine Learning (Includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API.)
      • Cloud Billing
  4. Review access for each service:
    • Unrestricted—All third-party apps can access this service, with user consent.
    • Restricted—Only apps you trust can access this service, with user consent.
    • Restricted - High-Risk Access—Only apps you trust can access high-risk scopes for this service. All apps can access lower-risk scopes. User consent is required in all cases.
      • For Gmail, high-risk OAuth scopes are:
        • https://mail.google.com/
        • https://www.googleapis.com/auth/gmail.compose
        • https://www.googleapis.com/auth/gmail.insert
        • https://www.googleapis.com/auth/gmail.metadata
        • https://www.googleapis.com/auth/gmail.modify
        • https://www.googleapis.com/auth/gmail.readonly
        • https://www.googleapis.com/auth/gmail.send
        • https://www.googleapis.com/auth/gmail.settings.basic
        • https://www.googleapis.com/auth/gmail.settings.sharing

          For details about Gmail scopes, see Choose Auth Scopes.

      • For Drive, high-risk OAuth scopes are:
        • https://www.googleapis.com/auth/drive
        • https://www.googleapis.com/auth/drive.apps.readonly
        • https://www.googleapis.com/auth/drive.metadata
        • https://www.googleapis.com/auth/drive.metadata.readonly
        • https://www.googleapis.com/auth/drive.readonly
        • https://www.googleapis.com/auth/drive.scripts
        • https://www.googleapis.com/auth/documents
          For details about Drive scopes, see About Authorization.
  5. (Optional) To review which apps have access to a service: 
    1. Above the table, click Apps.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking.  
      The apps that have access to their OAuth scopes and their trusted status appear.
  6. To change access (for example, to restrict it): 
    • For just one service, point to its row in the table and, at the far right, click Change access.
    • For several services at once, select them in the table and, at the top of the table, click Change access.

After you change scopes to Restricted, any previously installed apps that you haven’t trusted stop working and tokens are revoked. When a user tries to install an app that has a restricted scope, they’re notified that it’s blocked.

Add or remove an app from the trusted list

Trust specific apps that you want accessing all G Suite services (OAuth scopes), and you can decide to trust all domain-owned apps. Trusting apps also ensures that users can install apps that are unverified by our counter-abuse team. Apps that you don’t trust have limited access to G Suite APIs—they can only access unrestricted services.

Tip: Users are prompted to consent to add web apps, but on G Suite Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then App access control.
    Note: If you don't have the App access control setting, follow the steps to manage apps. The new interface for App access control will be automatically available over the next few weeks.
  3. From the main App access control page, select Manage Third-Party App Access.
  4. Review the list of apps. 
  5. To search for a specific app name, client ID, or the services that the app accesses, click Add a filter.
    If the app appears on the list, it’s in use, trusted, or both.
  6. To change access (for example, to trust it): 
    • For just one app, point to its row in the table and, at the far right, click Change access.
    • For several apps at once, select them in the table, and, at the top of the table, click Change access

      You can set an app to these states:
      • Trusted—can access all Google services
      • Limited—can only access unrestricted Google services
  7. (Optional) To trust an app not on the list, at the top of the apps list, click Add app and select an option:
    • For web apps:
      1. Click on OAuth App Name Or Client ID
      2. Enter the client ID and click Search.
      3. Select the app and click Add
    • For mobile apps:
      1. Click on Android or IOS
      2. Enter an app name and click Search to display a list of available apps.
      3. Select the app and click Add

Note: If you change the access of a trusted app to limited and it has no active users, it will disappear from the list until you add it again or a user activates it.

Let internal apps access restricted G Suite APIs

If you build internal apps, you can trust all such apps to access restricted G Suite services. Otherwise, you'll need to trust them individually.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then App access control.
    Note: If you don't have the App access control setting, follow the steps to manage apps. The new interface for App access control will be automatically available over the next few weeks.
  3. At the bottom of the page, check the Trust internal, domain-owned apps box and click Save.

Domain-owned apps include:

  • Google Apps Script projects created by users within the organization
  • Those associated with the organization in the Google Cloud Platform Console 
Customize the rejected-app message

Depending on the specific service and app, when a user tries to install a third-party web app, they see a consent or a rejection screen. You can customize this rejection screen. For example, you might add your support contact information.  

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then App access control.
    Note: If you don't have the App access control setting, follow the steps to manage apps. The new interface for App access control will be automatically available over the next few weeks.
  3. Go to Settings.
  4. In the box under “Show this message if a user tries to use an app that can’t access restricted Google services,” enter your custom text.
  5. Click Save.

Related topics

Was this helpful?
How can we improve it?