Available in open beta: configure third-party apps by select API scopes

What’s changing 

When your users sign in to third-party apps using the “Sign in with Google” option (single sign-on) or use OAuth to share their data with those apps, you can control what access those apps have to your organization’s Google data using app access controls
Admins currently can configure the third-party apps as “Trusted”, giving them access to all OAuth scopes or as “Limited”, giving them access to scopes only from Google services which are not restricted. Beginning today, we’re giving admins another layer of granular control for third-party apps. Specifically, you can now configure apps to be limited by selected OAuth 2.0 Scopes for Google APIs, such as Drive or Gmail scopes. This helps ensure that these apps do not gain additional access without admin consent based on new API scopes that they might request in the future, keeping data access limited to only what is deemed absolutely necessary by admins.

Getting started

Admins: To manage app access, in the Admin console navigate to Security > API Controls > App Access Controls. Visit the Help Center to learn more about controlling which third-party & internal apps access Google Workspace data.

Rollout pace

Availability

Available to all Google Workspace customers, as well as Cloud Identity Free and Premium customers

Resources