Mark PDFs, images, and Microsoft Office files as offline in Drive, launching to beta

What’s changing

Google is improving the ability to control access to G Suite data by third-party and domain-owned apps. The new app access control feature will update the interface and controls in the G Suite Admin console to help you search for, research, and control apps using OAuth2 to access G Suite data.

Specifically, app access control will replace the current API Permissions feature to help you:

  • Find: Identify apps being used and see which have been verified to access restricted OAuth2 scopes.
  • Assess: Understand which apps are being used and get support information about them.
  • Control: Manage what data each app can access and which users are empowered to use it.

Who’s impacted

Admins only

Why it matters

G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so Google’s customers and partners value controls to manage third-party apps accessing G Suite data.

With app access control, you can have better visibility into the third-party apps your users have approved to access their G Suite data, and you can reduce any risk to your company data by limiting access to trusted apps.

How to get started

Additional details

Find: Identify apps being used and see which have been verified for access to restricted OAuth2 scopes. 

The new interface will help you see which apps and Google services are being used. Also, Google previously announced that it now blocks new installs for unverified third-party apps that access Gmail data, unless you trust them in the Admin console. You can now use Google’s app details page to verify apps’ trusted status.

App access control – Apps page 

Assess: Research the risk profile for the app and its developer or publisher. 

You’ll be able to see more details about each app and its publisher or developer. This will include the developer’s support email, privacy policy, and Terms of Service (if available). In addition, if the app is verified, Google will show you this information here. This information can help you decide whether to trust/allow or block/limit an app.

App details page 

Control: Manage what data each app can access and which users are empowered to use it. 

You’ll also be able to adjust whether you trust or limit apps accessing G Suite data via OAuth2 scopes.
With these new controls, you now have an easier way to restrict access to APIs (OAuth2 scopes) for Google services such as Gmail, Drive, and the Admin console.

Please note that this does not cover domain-wide delegation and service accounts. This continues to be managed with the Manage API Client Access page on the Security menu.

App access control – changing access levels for an app 

The Advanced Protection Program can add extra protections for high-risk users. 

The Advanced Protection Program for enterprise, which was announced in general availability, helps you enforce a set of enhanced security policies for the employees in your organization who are most at risk for targeted attacks. Once users self-enroll, the program enforces an app access control policy—it will automatically block applications that require restricted Gmail and Drive access unless explicitly trusted by the admins—as well as other policies. These include the use of security keys, enhanced email scanning for threats, and download protections in Google Chrome. Find out more about the Advanced Protection Program for enterprise here.


Rollout details 

G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default for all G Suite domains.