← All controls

8 OAuth app access control / allowlisting

By default any user can grant a third-party app OAuth scopes over their Workspace data, and the grant survives password resets. This control inverts the default: unconfigured apps are blocked, and every app holding a Workspace scope is explicitly Trusted, Limited, Specific Google data, or Blocked, with access requests worked from the shared 'Apps pending review' queue. It also covers the domain-wide delegation table, where a client ID impersonates users with no user consent at all — the highest-value list in the tenant.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Security > Access and data control > API controls

    https://admin.google.com/ac/owl · captured 2026-07-15

    Security › Access and data control › API controls
    Unconfigured third-party apps
    Don't allow users to access any third-party apps

    Control which apps access Google Workspace data ↗

  2. open ↗ Security › Access and data control › API controls › App access control

    Per app: Trusted (all scopes) only for apps with an owner and a business case; everything else = Blocked

    Control which apps access Google Workspace data ↗

  3. open ↗ Security › Access and data control › API controls › App access control

    Allow users to request access to unconfigured third-party apps = On (with the 'Apps pending review' queue actively monitored) or Off

    Review & manage third-party app access requests ↗

  4. open ↗ Security › Access and data control › API controls › Manage Domain Wide Delegation

    Remove every client ID you cannot attribute to a current, owned integration; narrow remaining scopes to the minimum

    Control API access with domain-wide delegation ↗

Ongoing maintenance

How to verify

  1. From a test account, authorise a random unconfigured third-party app against Drive scopes — the consent should be refused with the admin-configured message.

  2. Confirm no wide-open default remains: API controls should show unconfigured third-party apps = blocked (or restricted).

v0.0.3Prevent policy #19 · #37 ↗