https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/For-those-that-disable-third-party-apps-but-allow-internal-apps/m-p/180849#M4536 <P>We identified something that was new to us but maybe others already knew this.&nbsp;</P><UL><LI>We have GCP disabled within our Google Workspace environment for all users except a few that need it</LI><LI>We have AppScripts enabled by default - something that may change in the future</LI><LI>We have Google Drive service within the API Third Party area to "Restricted" - so only trusted apps can access that service-data</LI><LI>We had before yesterday the "internal third party apps are trusted" enabled</LI><LI>We noticed that users were still using mail merge applications with access to Drive data in which we did not "trust"</LI><LI>Further investigating, came to find out that AppScript has the ability to create hidden Projects within GCP regardless of the GCP Service on/off within Workspace&nbsp;</LI><LI>So users had set up an AppScript mail merge third party app (which really was just an user-initiated-internal-app using AppScript) which then provided access to Drive data - reason being that "trust internal apps" was checked</LI><LI>We unchecked the "trust internal apps" and then had to "block" then "limit" in bulk the list of "internal" apps&nbsp;</LI></UL><P>This may be common sense or already known, but it was new to us since the blocking of third party apps is relatively new. So consider this: google services (AppScript) and other google services (GCP) along with a misunderstanding of "trust internal apps" led to users still having access to drive data.&nbsp;</P> Wed, 15 Oct 2025 14:40:18 GMT alexgrutza 2025-10-15T14:40:18Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/For-those-that-disable-third-party-apps-but-allow-internal-apps/m-p/180849#M4536 <P>We identified something that was new to us but maybe others already knew this.&nbsp;</P><UL><LI>We have GCP disabled within our Google Workspace environment for all users except a few that need it</LI><LI>We have AppScripts enabled by default - something that may change in the future</LI><LI>We have Google Drive service within the API Third Party area to "Restricted" - so only trusted apps can access that service-data</LI><LI>We had before yesterday the "internal third party apps are trusted" enabled</LI><LI>We noticed that users were still using mail merge applications with access to Drive data in which we did not "trust"</LI><LI>Further investigating, came to find out that AppScript has the ability to create hidden Projects within GCP regardless of the GCP Service on/off within Workspace&nbsp;</LI><LI>So users had set up an AppScript mail merge third party app (which really was just an user-initiated-internal-app using AppScript) which then provided access to Drive data - reason being that "trust internal apps" was checked</LI><LI>We unchecked the "trust internal apps" and then had to "block" then "limit" in bulk the list of "internal" apps&nbsp;</LI></UL><P>This may be common sense or already known, but it was new to us since the blocking of third party apps is relatively new. So consider this: google services (AppScript) and other google services (GCP) along with a misunderstanding of "trust internal apps" led to users still having access to drive data.&nbsp;</P> Wed, 15 Oct 2025 14:40:18 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/For-those-that-disable-third-party-apps-but-allow-internal-apps/m-p/180849#M4536 alexgrutza 2025-10-15T14:40:18Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/For-those-that-disable-third-party-apps-but-allow-internal-apps/m-p/181510#M4588 <P>Hiya Alex, (yes, this was just something you didn't know&nbsp;<span class="lia-unicode-emoji" title=":winking_face:">😉</span> and, as always, the tough love is faster to type<span class="lia-unicode-emoji" title=":red_heart:">❤️</span>)</P><P>I assume that "users having access to drive data" is still true?</P><P>It's a fairly safe assumption, unless you have disabled the Drive service.</P><P>So, yes, it's good to know what that button does, but <EM>nothing has changed, or wasn't clear</EM>.</P><P>It's even written exactly there what the setting does allow.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Trust internal apps" style="width: 999px;"><img src="https://www.googleforeducommunity.com/t5/image/serverpage/image-id/5501i77ABBDCC30F71E3D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Skärmavbild 2025-11-11 kl. 16.56.46.png" alt="Skärmavbild 2025-11-11 kl. 16.56.46.png" /></span></P><P>Allowing&nbsp;<EM>internal apps</EM>&nbsp;(there is no such thing as "internal third party apps") lets users develop or use open source scripts (even Google publish such mail merge scripts) to make their life easier. It doesn't change the access those user have to actual content.</P><P>The code they create will not suddenly give them access to other things than what they already have access to.</P><P>***</P><P>Now... if you have a policy that nobody is allowed to send personalised emails with content from their Drive... then you have a case. If not, you just made people's job harder.</P> Tue, 11 Nov 2025 16:07:50 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/For-those-that-disable-third-party-apps-but-allow-internal-apps/m-p/181510#M4588 Kim_Nilsson 2025-11-11T16:07:50Z