Wednesday, June 22, 2022

Control which third-party & internal apps access Google Workspace data - Google Workspace Admin Help [gg-a-en]

Control which third-party & internal apps access Google Workspace data

To manage mobile apps for your organization, go here instead.

You can control how apps access your organization's Google Workspace data. You use settings in the Google Admin console to govern access to Google Workspace services through OAuth 2.0. Some apps use OAuth 2.0 scopes—a mechanism to limit access to a user's account. 

You can also customize the error message users see when they try to install an unauthorized app. 

Note: For Google Workspace for Education, additional restrictions might prevent users in primary and secondary institutions from accessing certain third-party apps.

Control app access to Google Workspace data

Expand all  |  Collapse all

Before you begin: Review authorized third-party apps

Before implementing controls, review the list of apps that have been authorized to access Google Workspace data. Details about third-party apps typically appear 24–48 hours after authorization.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.

    You can review the number of configured and accessed apps.

    • Configured apps are apps with an access policy (trusted or blocked). If you haven't trusted or blocked any apps, you'll see zero (0) configured apps.
    • Accessed apps are third-party apps used by users that have accessed Google data.
  3. Click Manage Third-Party App Access.
    Configured apps are displayed by default. You can review:
    • App name
    • Type
    • ID
    • Verified status—Verified apps have been reviewed by Google to ensure compliance with certain policies. Many well-known apps might not be verified in this way. For more details, go to What is a verified third-party app?
    • Access—Specifies Trusted or Blocked.
  4. (Optional) To view accessed apps, in the Accessed apps section, click View list.

    For Accessed apps, you can also review:

    • Users—Number of users accessing the app.
    • Requested services—Google service APIs (OAuth2 scopes) that each app is using (for example, Gmail, Google Calendar, or Google Drive). Non-Google requested services are listed as Other.
  5. From the Configured apps or Accessed apps list, click an app to review:
    • Manage whether your app can access Google services—Review whether the app is marked as Trusted, Limited, or Blocked. If you change the access configuration, click Save.
    • View information about the app—View the full OAuth2 client ID of the app, number of users, privacy policy, and support information.
    • View the Google service APIs (OAuth scopes) that the app is requesting—View a list of OAuth scopes that each app is requesting. To see each of the OAuth scopes, expand the table row or click Expand All
  6. (Optional) To download the app information into a CSV file, at the top of the Configured apps or Accessed apps list, click Download list.
    • All data in the table is downloaded (including data you don't have displayed).
    • For Configured apps, the CSV file contains additional columns that aren't visible in the table: Number of users, Requested services, and API scopes associated with each service. If a configured app hasn't been accessed, the user count for that app will show zero (0) and the other 2 columns will be blank.

App verification is Google's program to ensure that third-party apps accessing sensitive customer data pass security and privacy checks. Users may be blocked from activating unverified apps that you don't trust (see details on trusting apps below on this page). For more information on app verification, go to Authorize unverified third-party apps.

Step 2: Restrict or unrestrict Google services

You can restrict, or leave unrestricted, access to most Google Workspace services, including Google Cloud services, such as Machine Learning. For Gmail and Google Drive, you can specifically restrict access to high-risk services, for example, sending mail or deleting files in Drive. While users are prompted to consent to apps, if an app is restricted and you haven't specifically trusted it, users can't add it. 

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. Click Manage Google Services.
  4. From the list of services, check the boxes next to the services that you want to manage.
    Check the Service box to check all the boxes. 
  5. (Optional) To filter this list, click Add a filter and select from the following criteria:
    • Google services—Select from the list of services, such as Drive or Gmail, and click Apply.
    • Google services access—Select Unrestricted or Restricted and click Apply.
    • Allowed apps—Specify a range for the number of allowed apps and click Apply.
    • Users—Specify a range for the number of users and click Apply.
  6. At the top, click Change access and choose Unrestricted or Restricted.
    If you change access to Restricted, any previously installed apps that you haven't trusted stop working and tokens are revoked. When a user tries to install an app that has a restricted scope, they're notified that it's blocked. Restricting access to the Drive service also restricts access to the Google Forms API.
  7. (Optional) If you chose Restricted, to allow access to OAuth scopes that aren't classified as high-risk (for example, scopes that allow apps to access user-selected files in Drive), check the For apps that are not trusted, allow users to give access to OAuth scopes that aren't classified as high-risk box.
  8. Click Change and confirm, if needed.
  9. (Optional) To review which apps have access to a service: 
    1. At the top, for Accessed apps, click View list.
    2. Click Add a filterand thenRequested services.
    3. Select the services you're checking and click Apply.

Restrict access to high-risk OAuth scopes

Gmail and Drive can also restrict access to a predefined list of high-risk OAuth scopes.

For Gmail, high-risk OAuth scopes are:

  • https://mail.google.com/
  • https://www.googleapis.com/auth/gmail.compose
  • https://www.googleapis.com/auth/gmail.insert
  • https://www.googleapis.com/auth/gmail.metadata
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.settings.basic
  • https://www.googleapis.com/auth/gmail.settings.sharing
    For details about Gmail scopes, go to Choose Auth Scopes.

For Drive, high-risk OAuth scopes are:

  • https://www.googleapis.com/auth/drive
  • https://www.googleapis.com/auth/drive.apps.readonly
  • https://www.googleapis.com/auth/drive.metadata
  • https://www.googleapis.com/auth/drive.metadata.readonly
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/drive.scripts
  • https://www.googleapis.com/auth/documents
    For details about Drive scopes, go to API-specific authorization and authentication information .
Step 3: Manage third-party app access to Google services & add apps

You can manage access to certain apps by blocking those apps, marking them as trusted, or providing access only to unrestricted Google services. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services. Apps that you don't trust can only access unrestricted services.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. For App access control, click Manage Third-Party App Access.
  4. For Configured apps, click View list.
  5. (Optional) To filter the list, click Add a filter and select an option: 
    • App name—Enter the name of the app and click Apply.
    • Type—Select Web application, iOS, or Android and click Apply.
    • ID—Enter the app ID and click Apply.
    • Verified status—Select Google verified and click Apply to review apps that are reviewed by Google and comply with certain policies. For more details, go to What is a verified third-party app?
    • Access—Check the Trusted or Blocked box and click Apply.
  6. Point to an app and click Change access. Or, check the boxes next to multiple apps and at the top, and click Change access. You can decide to trust all domain-owned apps or block apps so they can't access any Google Workspace service. 
  7. Choose an option:
    • Trusted—Trusting an app overrides a service restriction. Google-owned apps, such as Chrome browser, are automatically trusted and can't be configured as trusted apps. 
    • Limited—Can access only unrestricted Google services.
    • Blocked—Can't access any Google service.
      If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.
  8. Click Change.
    If you change an app's access to Trusted or Blocked, the app is added to the Configured apps list. If you change access to Limited, the app is removed from the Configured apps list. If you change the access to Limited and the app has no active users, you won't see it in the list until a user activates it.

Add a new app

  1. Under App access control, click Manage Third-Party App Access.
  2. For Configured apps, click Add app.
  3. Choose OAuth App Name or Client ID, Android, or IOS.
  4. Enter the app's name or client ID and click Search.
  5. Point to the app and click Select.
  6. Check the boxes for the client IDs that you want to configure and click Select.
  7. Select Trusted or Blocked and click Configure.

Users are prompted to consent to add web apps, but in the Google Workspace Marketplace, for approved apps only, you can bypass the consent screen through domain installation.

Customize the message for an unauthorized app

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. For App access control, in the Settings section, enter a message and click Save.
Step 4: Control API access

Block all third-party API access

You can block all third-party API access so that requests by third-party apps and websites are denied access to user data. This setting blocks all OAuth scopes, including sign-in scopes, meaning that users will no longer be able to sign in with Google to third-party apps and websites.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. For App access control, in the Settings section, check the Block all third-party API access boxand thenclick Save.

Some settings override API settings. For example, if there is an explicitly trusted app, the user will still be able to access this trusted app even if you check the Block all third-party API access box.

Let internal apps access restricted Google Workspace APIs

If you build internal apps (owned by your organization), you can trust all apps to access restricted Google Workspace APIs. That way, you don't have to trust them all individually.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. Under App access control, check the Trust internal, domain-owned apps boxand thenclick Save.

Related topics

No comments:

Post a Comment

Search This Blog

Upload files and folders to OneDrive [MS]

...