This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

For those that disable third party apps but allow internal apps

alexgrutza
Contributor III

‎10-15-2025 07:40 AM

We identified something that was new to us but maybe others already knew this. 

  • We have GCP disabled within our Google Workspace environment for all users except a few that need it
  • We have AppScripts enabled by default - something that may change in the future
  • We have Google Drive service within the API Third Party area to "Restricted" - so only trusted apps can access that service-data
  • We had before yesterday the "internal third party apps are trusted" enabled
  • We noticed that users were still using mail merge applications with access to Drive data in which we did not "trust"
  • Further investigating, came to find out that AppScript has the ability to create hidden Projects within GCP regardless of the GCP Service on/off within Workspace 
  • So users had set up an AppScript mail merge third party app (which really was just an user-initiated-internal-app using AppScript) which then provided access to Drive data - reason being that "trust internal apps" was checked
  • We unchecked the "trust internal apps" and then had to "block" then "limit" in bulk the list of "internal" apps 

This may be common sense or already known, but it was new to us since the blocking of third party apps is relatively new. So consider this: google services (AppScript) and other google services (GCP) along with a misunderstanding of "trust internal apps" led to users still having access to drive data. 

--
CISSP | LinkedIn | @Phyxiis
Topics:
Reply
1 REPLY 1

Kim_Nilsson
Admin Moderator

‎11-11-2025 08:07 AM

Hiya Alex, (yes, this was just something you didn't know 😉 and, as always, the tough love is faster to type❤️)

I assume that "users having access to drive data" is still true?

It's a fairly safe assumption, unless you have disabled the Drive service.

So, yes, it's good to know what that button does, but nothing has changed, or wasn't clear.

It's even written exactly there what the setting does allow.

Skärmavbild 2025-11-11 kl. 16.56.46.png

Allowing internal apps (there is no such thing as "internal third party apps") lets users develop or use open source scripts (even Google publish such mail merge scripts) to make their life easier. It doesn't change the access those user have to actual content.

The code they create will not suddenly give them access to other things than what they already have access to.

***

Now... if you have a policy that nobody is allowed to send personalised emails with content from their Drive... then you have a case. If not, you just made people's job harder.

--
https://wheretofind.me/@NoSubstitute
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines