Control which third-party & internal apps access Google Workspace data

Before implementing controls, review the list of apps that have been authorized to access Google Workspace data.

Note: Details about third-party apps typically appear in results within 24–48 hours.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, select MANAGE THIRD-PARTY APP ACCESS.
4. View details about apps in the app table. 
   The following details are displayed: 
   • App name
   • Type
   • ID
   • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Note that many well-known apps might not be verified in this way. For more details, see What is a verified third-party app?
   • Users—Number of users accessing the app.
   • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Calendar, or Drive). Services not shown in the GOOGLE SERVICES tab are listed as Other.
   • Access—Specifies Trusted, Limited, or Blocked.
5. Click the table row of an app to open the app details page. From this page you can do the following:
   • View or change whether or not your app can access Google services—Review whether the app is marked as Trusted, Limited, or Blocked. If you change the access configuration, click SAVE.
   • View information about the app—This includes the full OAuth2 client ID of the app, number of users, privacy policy, and support information.
   • View the Google service APIs (OAuth scopes) that the app is requesting—From the Requested Services section of the app details page, you can view a list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, be sure to expand the table row, or click EXPAND ALL. 
6. (Optional) Download app information.
   
   You can download all of the information in the app table by clicking Download app info. This downloads app metadata that's listed in all pages in the table to a CSV file.

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users may be blocked from activating unverified apps that you don’t trust (see details on trusting apps below). For more information on app verification, see Authorize unverified third-party apps.

You can restrict (or leave unrestricted) access to most Google Workspace services, including Google Cloud services such as Machine Learning. For Gmail and Google Drive, you can specifically restrict access to high-risk scopes (for example, sending Gmail or deleting files in Drive). While users are prompted to consent to apps, if an app uses restricted scopes and you haven’t specifically trusted it, users can’t add it.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, click MANAGE GOOGLE SERVICES.
4. From the list of services, check the boxes for the services that you want to manage.
   
   If needed, click Add a filter to narrow the size of the list using the following criteria:
   Google services—Select from the list of services, such as Drive or Gmail, and click APPLY.
   Google services access—Select Unrestricted or Restricted, and click APPLY.
   Allowed apps—Specify a range for the number of allowed apps, and click APPLY.
   Users—Specify a range for the number of users, and click APPLY.
   
   Google services that you can control include:
   • Google Workspace:
     • Google Workspace Admin
     • Gmail
     • Drive
     • Calendar
     • Contacts
     • Vault
     • Classroom
     • Tasks
     • Groups
     • Cloud Search
     • Apps Script runtime
       Controls access to projects that request certain high-risk scopes specific to Apps Script projects—for example, UrlFetch and Container UI. This includes add-ons and scripts from both inside and outside your organization. Apps Script runtime control works in tandem with Apps Script API controls, and doesn't supersede them for apps script apps.

     • Apps Script API
       Controls access to any project (for example, Apps Script, Google Cloud, AWS, etc.) that requests scopes for the Apps Script API(for example, Manage Projects and Manage Deployments).

   • Google Cloud:
     • Cloud (Includes all Google Cloud services, except Machine Learning and Cloud Billing.)
     • Machine Learning (Includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API.)
     • Cloud Billing
5. After you've selected the services from the list, click Change access.
   
   For just one service, point to a row in the table. At the far right, click Change access.
   For multiple services, click the checkboxes in the table. At the top of the table, click Change access.
    
6. To change access, choose from the following options:
   
   Unrestricted: Any user-approved app can access a service
   Restricted: Only trusted apps can access a service
    
7. Click CHANGE.
   On the Google services page, the Access column will display the access status for the services: Unrestricted or Restricted.
8. (Optional) To review which apps have access to a service: 
   1. Above the table, click APPS.
   2. Click Add a filterRequested services.
   3. Select the services you’re checking, and click APPLY.
      The apps that have access to their OAuth scopes and their trusted status will appear.

After you change scopes to Restricted, any previously installed apps that you haven’t trusted stop working and tokens are revoked. When a user tries to install an app that has a restricted scope, they’re notified that it’s blocked.

Gmail and Drive high-risk OAuth scopes

Gmail and Drive can also restrict access to a predefined list of high-risk OAuth scopes.

For Gmail, high-risk OAuth scopes are:

• https://mail.google.com/
• https://www.googleapis.com/auth/gmail.compose
• https://www.googleapis.com/auth/gmail.insert
• https://www.googleapis.com/auth/gmail.metadata
• https://www.googleapis.com/auth/gmail.modify
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.send
• https://www.googleapis.com/auth/gmail.settings.basic
• https://www.googleapis.com/auth/gmail.settings.sharing

  For details about Gmail scopes, see Choose Auth Scopes.

For Drive, high-risk OAuth scopes are:

• https://www.googleapis.com/auth/drive
• https://www.googleapis.com/auth/drive.apps.readonly
• https://www.googleapis.com/auth/drive.metadata
• https://www.googleapis.com/auth/drive.metadata.readonly
• https://www.googleapis.com/auth/drive.readonly
• https://www.googleapis.com/auth/drive.scripts
• https://www.googleapis.com/auth/documents
  For details about Drive scopes, see About Authorization.

From the App Access Control page, you can manage access to certain apps by blocking those apps, marking them as trusted, or providing access only to unrestricted Google services. 

Trust specific apps that you want accessing all Google Workspace services (OAuth scopes), or you can decide to trust all domain-owned apps. Trusting apps also ensures that users can install apps that are unverified by our counter-abuse team. Apps that you don’t trust have limited access to Google Workspace APIs—they can only access unrestricted services. You also have the option to block apps so they can't access any Google Workspace service.

Tip: Users are prompted to consent to add web apps, but on Google Workspace Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, click MANAGE THIRD-PARTY APP ACCESS.
4. From the list of apps, check the boxes for the apps that you want to manage.
   
   If needed, click Add a filter to narrow the size of the list using the following criteria:
   • App name—Type the name of the app in the Contains field, and click APPLY.
   • Type—Choose Web application, iOS, or Android, and click APPLY.
   • ID—Type a string in the Matches field, and click APPLY.
   • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Note that many well-known apps might not be verified in this way. For more details, see What is a verified third-party app?
   • Users—Specify a range for the number of users, and click APPLY.
   • Requested services—Choose from services such as Gmail or Drive, and click APPLY.
   • Access—Click Trusted, Limited, or Blocked, and click APPLY.
5. After you've selected the apps from the list, click Change access.
6. To change access, choose from the following options:
    
   • Trusted: Can access all Google services
   • Limited: Can access only unrestricted Google services
   • Blocked: Can't access any Google service
   Note: If you add an app for devices to an allowlist, but also block that same app using API controls, the app is blocked (the blocking of the app on the API controls page overrides the placement on the allowlist).
    
7. Click CHANGE.
   On the apps page, the Access column will display the access status for the apps: Trusted, Limited, or Blocked.

Note: If you change the access of a trusted or blocked app to limited, and if it has no active users, it will disappear from the list until you add it again or a user activates it.

To manage apps that are not included in the list:

1. Under App access control, click MANAGE THIRD-PARTY APP ACCESS.
2. Click Configure new app, and choose OAuth App Name or Client ID, Android, or IOS.
3. Type the app's name, and then click SEARCH.
4. From the list of search results, click Select for the app that you want to manage.
   Note: If you are configuring by OAuth app name or client ID, check the boxes for the client IDs that you want to configure, and then click SELECT.
5. Choose from the following options:
   
   Trusted: Can access all Google services
   Blocked: Can't access any Google service
    
6. Click CONFIGURE.
   
   On the apps page, the Access column will display the access status for the apps: Trusted or Blocked.

From the API controls page, you can block all third-party API access. By using this powerful control, requests by third-party apps and websites are denied access to user data. This setting blocks all OAuth scopes, including sign-in scopes, meaning that users will no longer be able to sign in with Google to third-party apps and websites.

Important: Users will have access to explicitly trusted apps and trusted domain-owned apps even when you enable the Block all third-party API access setting. For more details about trusted apps, see Manage access to apps: Trusted, Limited, or Blocked and Let internal apps access restricted Google Workspace APIs.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, check the Block all third-party API access box and click SAVE.

If you build internal apps, you can trust all such apps to access restricted Google Workspace services. Otherwise, you'll need to trust them individually.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, check the Trust internal, domain-owned apps box and click SAVE.

Domain-owned apps include:

• Google Apps Script projects created by users within the organization
• Those associated with the organization in the Google Cloud Console 

Note: When you trust internal, domain-owned apps, but also manage third-party app access to block one of those apps, the app will be blocked (see Manage access to apps: Trusted, Limited, or Blocked).

Depending on the specific service and app, when a user tries to install a third-party web app, they see a consent or a rejection screen. You can customize this rejection screen. For example, you might add your support contact information.  

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. On the Admin console Home page, go to SecurityAPI controls.
3. Under App access control, go to the Settings section.
4. Type your custom text in the box under the following message: Show this message if a user tries to use an app that can’t access restricted Google services.
5. Click SAVE.