This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Disabling of third party access

alexgrutza
Contributor III

‎08-13-2025 08:10 AM

We're finally getting around to turning off third party apps in our GW. We're starting with restricting Drive (already completed). We have ~50 trusted apps so they retained access to Drive (we're higher ed btw). 

My understanding is that once we restricted the drive access, all untrusted apps lost the Drive scope access. The other scopes for those third party apps (sign-in, etc.) are still unrestricted and have access. We also have it so users can request apps to be approved and we'll need to go through and see if it's viable.

My question is this: I noticed that on an app that someone requested this morning, that it says "Current users: 3; Requested users: 1." Does that mean the app being requested (the 3 current users) have access to the other google services (sign-in, etc.) but not drive?

For example here is the screenshot of the scopes. This app is untrusted.

sign-in: 0/2

other: 1/1 - manage Play Games

Drive: 1/1 - it shows as "Access granted" even though the app is untrusted.

alexgrutza_0-1755097721661.png

 

As another piece of information, we have the API setting to allow users over 18 to access any third party app. Does this API setting supersede the Drive restriction setting to only allow trusted apps access?

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply
4 REPLIES 4

alexgrutza
Contributor III

‎08-14-2025 07:12 AM

For example this would seem like the  apps before we changed the Drive restrictions appear to still have access. I would have thought the "Accessed Apps" would drop to our 47 trusted apps number... 

alexgrutza_0-1755180691541.png

 

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

alexgrutza
Contributor III
In response to alexgrutza

‎08-14-2025 07:22 AM

i guess it only applies to new connections. all those 800+ apps still have drive access... so i have to manually block all 800 apps

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎08-21-2025 08:46 AM

I always flip the switch, the big one.

https://admin.google.com/ac/owl/settings


Also, I never allow a difference between staff and students.

Kim_Nilsson_0-1755790755740.png

 

Nobody is allowed to give unknown third-party services full API access to anything. Admin does it = me.

If I'm being nice, I flip it after I've trusted or added the most important client_ids. Like the first 100 of those with the most usage AND documented to be (legally) allowed, and some that I know are very important for some services, but are perhaps not used by many.

The rest is left to just stop working. If someone truly needs those services you haven't already allowed, they will reach out and ask for it. To be smart, set up such a process before flipping the switch, and tell people about it.

We have a very simple Google Form, where the requester has to fill in a lot of information regarding the service, which a small team then evaluates. Also, only allow requests for access through that one and only process, and bring legal in on it. Regardless of who is asking.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

alexgrutza
Contributor III
In response to Kim_Nilsson

‎08-21-2025 08:56 AM

Yeah so we're initially starting with Drive api access as that is most critical to us but will eventually be restricting everything except likely the google sign-in.

We've Trusted what we have security agreements or contracts with, and have been going chunk by chunk performing "Block" then "Limited" via the csv/bulk upload.

Just setting the service to restricted (Drive in this instance) does not revoke previously given access, hence we have to actually block the service to revoke all tokens (say the app has drive,contact,sign-in), then set to limited (that same app would then only have contact,sign-in after the user re-authenticates).

We too have a form that users can fill out that we would then need to then have a meeting with the vendor (if even applicable) to come into a legal agreement with.

We have the setting for users to also request access to apps and periodically will be going through that list along with the form.  

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines