Security
      Back to home
      1. Help Center
      2. Google Workspace
      3. Security

      Control which third-party & internal apps access Google Workspace data

      API Controls

      When users sign in to third-party apps using the "Sign in with Google" option (single sign-on), you can control how those third-party apps access your organization’s Google data. You use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0.

      You can also customize the error message users see when they try to install an unauthorized app.

       

      1) Review Third-Party Apps for your organization.

      In the admin console, go to Security> Access and Data Control> API controls

      Click Manage Third-Party App Access to view your apps

       

      There you can review both Configured Apps and Accessed Apps.

       

      From the Configured Apps or Accessed Apps list, click an app to see:

      • Manage whether your app can access Google services
      • View information about the app
      • View the Google service APIs (OAuth scopes) that the app is requesting
      • Users—Number of users accessing the app.

      2) Restrict or Unrestrict Google services

      You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services.

      Restricted: Only apps configured with a trusted access setting can access data for this service.

      Unrestricted: Apps configured with a trusted or limited access setting can access data for this service.

      For example, if you set Calendar access as restricted, only apps configured with a trusted access setting can access Calendar data. Apps with a limited access setting can't access Calendar data.

      • In the Admin console, go to Menu> Security> Access and Data control> API controls. Click Manage Google Services.

      • From the list of services, check the boxes next to the services that you want to manage.
        Check the Service box to check all the boxes. 
      • At the top, click Change Access and choose Unrestricted or Restricted.

               Click Change and confirm, if needed.

       

      3) Manage third-party app access to Google services

      You can manage access to certain apps by blocking those apps or marking them as trusted or limited. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services. A limited app can only access unrestricted services. You can change an app’s data access setting from the apps list.

        You can manage access to certain apps by blocking those apps or marking them as trusted or limited. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services. A limited app can only access unrestricted services. You can change an app’s data access setting from the apps list.

        1. In API controls > App access control> click Manage Third-Party App Access.
        2. In either the configured app list or accessed app list, hover over an app and click Change access. Or, check the boxes next to multiple apps, and at the top of the list, click Change access.  

         

        Select what OUs to configure access for:

          • To apply the setting to all users, leave the top-level organization unit selected.
          • To apply to specific OUs, click Select org Units> Include organizations, then select specific org units.
        1. Click Next. 
        2. Choose an option:
          • Trusted—The app can access all Google services (both restricted and unrestricted). Google-owned apps, such as Chrome browser, are automatically trusted and can't be configured as trusted apps. 
          • Limited—Can access only unrestricted Google services.
          • Blocked—Can't access any Google service.
            If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.
        3. Click Next

        Review the scope and access settings, then click Change Access.

         

        4) Select settings for unconfigured App

        Third-party apps that you haven't configured as trusted, limited, or blocked are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google account.

        • In the Admin console, go to Menu> Security> Access and data control> API controls.
        • Click Settings.
        • Click Unconfigured third-party apps.
        • Select an option

        Allow users to access any third-party apps (default)—users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.

        Allow users to access third-party apps that only request basic info needed for Sign in with Google - Users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. 

        • Don’t allow users to access any third-party apps—blocks all OAuth scopes, including sign-in scopes. Users can't sign in with Google to any third-party apps and websites until they’re configured with an access setting.

        Click SAVE

         

        Please check this supporting article for more information.

        API Controls