Block third-party apps in Google Workspace

(formerly G Suite)


Why might you want to block third-party apps?

When users connect third-party apps to Google Workspace, they are asked to grant specific permissions to the app, which determine what the app is allowed to do to Google Workspace data. These specific permissions are called OAuth2 scopes.

An example would be when you connected Trelica to Google Workspace. Google will have asked you to confirm that you were happy for Trelica to access your Google Workspace data:

Trelica can highlight applications that have connected to Google Workspace and been granted high-risk OAuth2 scopes.

You may be concerned about some of the applications that Trelica has highlighted as having high-risk access permissions and want to block access to them.

Trelica lets you revoke access tokens (which means that the application loses access), but a user can still re-grant permissions. This is because the Google Workspace API doesn't let Trelica block applications permanently.

Although there is no API access, fortunately the Google Workspace admin panel now has the facility to let you block individual OAuth2 apps.

Block existing app access

The new settings are in Security > API Controls.

The top panel is called App Access control and the button you are looking for is called Manage Third-Party App Access.

Clicking Manage Third-Party App Access shows you a list of all the apps that have been granted access to Google Workspace in one form or another:

Sometimes apps don't show up in the list of Connected apps. This appears to be a fault in the Google Admin console. You can still block these apps by following the steps to block a new app.

You can click on one of the rows to see the specific details of the services that the application has requested and been granted by Google Workspace. Google calls them Google service APIs -- technically they’re known as OAuth Scopes:

The App Access panel at the top has an Access Configuration option which lets you choose Blocked if you want to block access going forwards:

The Third-Party App Access list shows individual “OAuth Client IDs”, and a single app can be assigned multiple Client IDs, so you may need to go back to the main list and find all instances of the app you want to block.

Block apps before access has been granted

The above is great where apps have already requested access, but what if you want to pre-emptively block an app?

Go back to the Third-Party App Access Control list, and click Configure new app. Choose OAuth App Name Or Client ID:

Enter the name of the app (or the client ID which Trelica will give you when you choose to block an app) and click Search.

This will show you a list of OAuth Client IDs (there may be several). Select them all, and click the blue Select button at the bottom right.

You can then select Blocked, and click the Configure button to confirm:

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.