Control which third-party & internal apps access G Suite data

You can control which third-party and domain-owned apps can access sensitive G Suite data. App access control governs access to G Suite services using OAuth 2.0. To facilitate app access, modern, more secure apps use OAuth 2.0 scopes—collections of procedures known as external APIs. These scopes help provide access to limited user data from most G Suite services, such as Gmail and Google Drive, Calendar, and Contacts. Using app access control: 

  • Restrict access to most G Suite services or leave them unrestricted.
  • Trust specific apps so they can access restricted G Suite services.
  • Trust all domain-owned apps.

The following steps show you how to do this, as well as how to find details about any third-party apps already in use. You can customize the error message users see when they try to install an unauthorized app. 

Changes to Admin API settings starting November 4, 2019

Deprecation of the "API Reference" setting 

Starting on November 4, 2019, we're deprecating the API Reference setting. To improve security, only the G Suite Admin permission in the Admin console will control API access to G Suite Admin APIs.

What changes?

You need to take action only if your settings are currently: 

API Reference is disabled
Location: Security > API Reference
G Suite Admin access is enabled
Location: Security >  App access control
API Reference setting turned off Admin API setting enabled

 

Beginning on November 4, 2019: If you have API Reference disabled, we'll automatically switch your G Suite Admin setting to Restricted. As a result, your users won't be able to sign in to certain apps until you grant G Suite Admin API access to the apps. User will receive the alert, "Access to your account data is restricted by policies... " (or your customized message). 

To restore user's access,  follow the steps in next section to:

  • Review your G Suite Admin API settings and the apps that request G Suite Admin access. 
  • Add apps as Trusted apps, which can access the G Suite Admin APIs and grant OAuth tokens to users.

Use app access control

Open all   |   Close all

Review the third-party apps in your environment

Before implementing controls, review the list of apps that your users have authorized to access G Suite data.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > App access control.
    Go to Security > App access control.

    Requires having the Security settings administrator privilege

    From the Admin console Home page, go to Menu and then Security and then App access control.
  3. From the main App access control page, select Manage Third-Party App Access.
  4. To see details about an app, look for it in the app table. 
    Each app entry reveals the: 
    • App name
    • App type
    • Number of users accessing the app
  5. Click an entry. 
    The app details page provides the:
    • G Suite services in use by the app
    • Full OAuth2 client ID of the app
    • Publisher information, including privacy policy and support links
    • If verified, verification status for apps that access certain restricted API scopes

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users may be blocked from activating unverified apps that you don’t trust (see details on trusting apps below). For more information on app verification, see Authorize unverified third-party apps.

Restrict access to Google services

You can restrict (or leave unrestricted) access to most G Suite services, including Google Cloud Platform services such as Machine Learning. For Gmail and Google Drive, you can specifically restrict access to high-risk scopes (for example, sending Gmail or deleting files in Drive). While users are prompted to consent to apps, if an app uses restricted scopes and you haven’t specifically trusted it, users can’t add it. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > App access control.
    Go to Security > App access control.

    Requires having the Security settings administrator privilege

    From the Admin console Home page, go to Menu and then Security and then App access control.
  3. From the main App access control page, select Manage Google Services.
    Google services that you can control include:
    • G Suite:
      • G Suite Admin
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Vault
      • Apps Script runtime (Controls the actions Apps Script projects can perform. Includes App Maker apps, add-ons, and scripts from both inside and outside your organization.)
      • Apps Script API (Controls whether clients can use the Apps Script API to manage projects.)

    • Google Cloud Platform:
      • Cloud Platform (Includes all Google Cloud Platform services, except Machine Learning and Cloud Billing.)
      • Machine Learning (Includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API.)
      • Cloud Billing
  4. Review access for each service:
    • Unrestricted—All third-party apps can access this service, with user consent.
    • Restricted—Only apps you trust can access this service, with user consent.
    • Restricted - High-Risk Access—Only apps you trust can access high-risk scopes for this service. All apps can access lower-risk scopes. User consent is required in all cases.
      • For Gmail, high-risk OAuth scopes are:
        • https://mail.google.com/
        • https://www.googleapis.com/auth/gmail.compose
        • https://www.googleapis.com/auth/gmail.insert
        • https://www.googleapis.com/auth/gmail.metadata
        • https://www.googleapis.com/auth/gmail.modify
        • https://www.googleapis.com/auth/gmail.readonly
        • https://www.googleapis.com/auth/gmail.send
        • https://www.googleapis.com/auth/gmail.settings.basic
        • https://www.googleapis.com/auth/gmail.settings.sharing

          For details about Gmail scopes, see Choose Auth Scopes.

      • For Drive, high-risk OAuth scopes are:
        • https://www.googleapis.com/auth/drive
        • https://www.googleapis.com/auth/drive.apps.readonly
        • https://www.googleapis.com/auth/drive.metadata
        • https://www.googleapis.com/auth/drive.metadata.readonly
        • https://www.googleapis.com/auth/drive.readonly
        • https://www.googleapis.com/auth/drive.scripts
        • https://www.googleapis.com/auth/documents
          For details about Drive scopes, see About Authorization.
  5. (Optional) To review which apps have access to a service: 
    1. Above the table, click Apps.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking.  
      The apps that have access to their OAuth scopes and their trusted status appear.
  6. To change access (for example, to restrict it): 
    • For just one service, point to its row in the table and, at the far right, click Change access.
    • For several services at once, select them in the table and, at the top of the table, click Change access.

After you change scopes to Restricted, any previously installed apps that you haven’t trusted stop working and tokens are revoked. When a user tries to install an app that has a restricted scope, they’re notified that it’s blocked.

Add or remove an app from the trusted list

Trust specific apps that you want accessing all G Suite services (OAuth scopes), and you can decide to trust all domain-owned apps. Trusting apps also ensures that users can install apps that are unverified by our counter-abuse team. Apps that you don’t trust have limited access to G Suite APIs—they can only access unrestricted services.

Tip: Users are prompted to consent to add web apps, but on G Suite Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > App access control.
    Go to Security > App access control.

    Requires having the Security settings administrator privilege

    From the Admin console Home page, go to Menu and then Security and then App access control.
  3. From the main App access control page, select Manage Third-Party App Access.
  4. Review the list of apps. 
  5. To search for a specific app name, client ID, or the services that the app accesses, click Add a filter.
    If the app appears on the list, it’s in use, trusted, or both.
  6. To change access (for example, to trust it): 
    • For just one app, point to its row in the table and, at the far right, click Change access.
    • For several apps at once, select them in the table, and, at the top of the table, click Change access

      You can set an app to these states:
      • Trusted—can access all Google services
      • Limited—can only access unrestricted Google services
  7. (Optional) To trust an app not on the list, at the top of the apps list, click Add app and select an option:
    • For web apps:
      1. Click on OAuth App Name Or Client ID
      2. Enter the client ID and click Search.
      3. Select the app and click Add
    • For mobile apps:
      1. Click on Android or IOS
      2. Enter an app name and click Search to display a list of available apps.
      3. Select the app and click Add

Note: If you change the access of a trusted app to limited and it has no active users, it will disappear from the list until you add it again or a user activates it.

Let internal apps access restricted G Suite APIs

If you build homegrown apps, you can trust all such apps to access restricted G Suite services. Otherwise, you will need to trust them individually.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > App access control.
    Go to Security > App access control.

    Requires having the Security settings administrator privilege

    From the Admin console Home page, go to Menu and then Security and then App access control.
  3. At the bottom of the page, check the Trust internal, domain-owned apps box and click Save.

Domain-owned apps include:

  • Google Apps Script projects created by users within the organization
  • Those associated with the organization in the Google Cloud Platform Console 
Customize the rejected-app message

Depending on the specific service and app, when a user tries to install a third-party web app, they see a consent or a rejection screen. You can customize this rejection screen. For example, you might add your support contact information.  

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > App access control.
    Go to Security > App access control.

    Requires having the Security settings administrator privilege

    From the Admin console Home page, go to Menu and then Security and then App access control.
  3. Go to Settings.
  4. In the box under “Show this message if a user tries to use an app that can’t access restricted Google services,” enter your custom text.
  5. Click Save.

Related topics

Was this helpful?
How can we improve it?