Control which third-party & internal apps access Google Workspace data

To manage mobile apps for your organization, go here instead.

When users sign in to third-party apps using the "Sign in with Google" option (single sign-on), you can control how those apps access your organization’s Google data. Use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0. Some apps use OAuth 2.0 scopes—a mechanism to limit access to a user's account. 

You can also customize the message that users see when they try to install an unauthorized app. 

Note: For Google Workspace for Education, additional restrictions might prevent users in primary and secondary institutions from accessing certain third-party apps.

Before you begin: Review third-party apps for your organization

In App access control, you can review the following third-party apps:

  • Configured apps—Apps configured with an access setting (Trusted, Limited, Specific Google data, or Blocked).
  • Accessed apps—Apps used by users who have accessed Google data.
  • Apps pending review (Education editions)—Apps that users under 18 have requested access to.

Details about third-party apps typically appear 24–48 hours after authorization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Third-Party App Access to view your configured apps. To filter the app list, click Add a filter and select an option.

    The app list shows app name, type, and ID, as well as the following information for each app:

    • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Many well-known apps might not be verified in this way. For more details, go to What is a verified third-party app?
    • Access—Shows which organizational units have a configured access policy for the app. Point to an app and click View details to see the access levels (Trusted, Limited, Specific Google data, or Blocked). Click Change access to change the app's data access level

      Note: If you apply access level “A” to a specific organizational unit, and then apply access level “B” to the entire organization, access level “A” remains in effect for the organizational unit.

  4. To see accessed apps, in the Accessed apps section, click View list.

    For Accessed apps, you can also review:

    • Users—Number of users accessing the app.
    • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Google Calendar, or Google Drive). Non-Google requested services are listed as Other.
  5. From the Configured apps or Accessed apps list, click an app to access the following:
    • Manage whether your app can access Google services—Shows whether the app is marked as Trusted, Limited, Specific Google data, or Blocked. If you change the access configuration, click Save.
    • View information about the app—Shows the full OAuth2 client ID of the app, the number of users, the privacy policy, and the support information.
    • View the Google service APIs (OAuth scopes) that the app is requesting—Provides a list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, expand the table row or click Expand All
  6. (Optional) To download the app information into a CSV file, at the top of the Configured apps or Accessed apps list, click Download list.
    • All data in the table is downloaded (including data you don’t have displayed).
    • For configured apps, the CSV file includes these additional columns: Verification status, Number of users, Org unit, Requested services, and API scopes associated with each service. If a configured app hasn't been accessed, its user count is zero (0), and the other 2 columns are blank.
    • For accessed apps, the CSV file has these additional columns: Verification status, Org unit, and API scopes associated with each service.

App verification is Google’s program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users might be blocked from activating unverified apps that you don’t trust (see details on trusting apps later on this page). For more information, go to Authorize unverified third-party apps.

Restrict or unrestrict Google services

You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services, such as Machine Learning. Here's what each option means:

  • Restricted—Only apps configured with a Trusted access setting can access data.
  • Unrestricted—Only apps configured with a Trusted, Limited, or Specific Google data access setting can access the scopes configured by an admin, regardless of whether the scope has restricted or unrestricted data access.

For example, if you set Calendar access as Restricted, only apps configured with a Trusted access setting can access Calendar data. Apps with a Limited access setting can't access Calendar data. 

Note: For Gmail, Google Drive, and Google Chat, you can specifically restrict access to high-risk services (for example, sending mail or deleting files in Drive). 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Manage Google Services.
  4. From the list of services, check the boxes next to the services that you want to manage. To check all the boxes, check the Service box. 
  5. (Optional) To filter this list, click Add a filter and select from the following criteria:
    • Google services—Select from the list of services, then click Apply.
    • Google services access—Select Unrestricted or Restricted, then click Apply.
    • Allowed apps—Specify a range for the number of allowed apps, then click Apply.
    • Users—Specify a range for the number of users, then click Apply.
  6. At the top, click Change access and choose Unrestricted or Restricted.
    If you change access to Restricted, any previously installed apps that you haven’t trusted stop working, and tokens are revoked. If a user tries to install (or sign in to) an app you haven't trusted that accesses a restricted service, they're notified that the app is blocked. Restricting access to the Drive service also restricts access to the Google Forms API.
    Note: The accessed apps list is updated 48 hours after a token is granted or revoked.
  7. (Optional) If you chose Restricted, to allow access to OAuth scopes that aren’t classified as high risk (for example, scopes that allow apps to access user-selected files in Drive), check the For apps that are not trusted, allow users to give access to OAuth scopes that aren’t classified as high-risk box. (This box appears for such apps as Gmail and Drive, but not for all apps.)
  8. Click Change and confirm, if needed.
  9. (Optional) To review which apps have access to a service: 
    1. At the top, for Accessed apps, click View list.
    2. Click Add a filterand thenRequested services.
    3. Select the services you’re checking and click Apply.

Restrict access to high-risk OAuth scopes

Expand section  |  Collapse all & go to top

Gmail, Google Drive, Docs, and Chat can also restrict access to a predefined list of high-risk OAuth scopes.

Manage third-party app access to Google services & add apps

You can manage access to certain apps by blocking those apps or marking them as Trusted, Specific Google data, or Limited:

  • Trusted—App has access to all Google Workspace services (OAuth scopes), including restricted services. You can allowlist apps configured using OAuth client IDs to maintain Application Programming Interface (API) access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access.
  • Specific Google data—Can request data access only to scopes that you specify when configuring the app.
  • Limited— App can only access unrestricted services. You can change an app’s data access setting from the apps list or from the app information page.

Expand section  |  Collapse all & go to top

Choose settings for unconfigured apps

Third-party apps that you haven't configured as Trusted, Limited, Specific Google data, or Blocked (as described in Manage third-party app access to Google services & add apps) are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google Account. 

Watch the video

Find the settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenAPI controls.
  3. Click Settings to expand the settings group.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Select your settings. Go to Unconfigured app settings to learn more.
  6. Click Save

Changes can take up to 24 hours but typically happen more quickly. Learn more

Unconfigured app settings

Expand section  |  Collapse all & go to top

Related topics

Was this helpful?

How can we improve it?
1714725752909000767
true
Search Help Center
true
true
true
true
true
73010
false
false
Search
Clear search
Close search
Main menu