8 OAuth app access control / allowlisting
By default any user can grant a third-party app OAuth scopes over their Workspace data, and the grant survives password resets. This control inverts the default: unconfigured apps are blocked, and every app holding a Workspace scope is explicitly Trusted, Limited, Specific Google data, or Blocked, with access requests worked from the shared 'Apps pending review' queue. It also covers the domain-wide delegation table, where a client ID impersonates users with no user consent at all — the highest-value list in the tenant.
Caveats
Setup steps
- open ↗

https://admin.google.com/ac/owl · captured 2026-07-15
Security › Access and data control › API controls- Unconfigured third-party apps
Don't allow users to access any third-party apps
- open ↗

https://admin.google.com/ac/owl/list?tab=configuredApps · captured 2026-07-15
Security › Access and data control › API controls › App access controlPer app: Trusted (all scopes) only for apps with an owner and a business case; everything else = Blocked
- open ↗

https://admin.google.com/ac/owl/settings · captured 2026-07-15
Security › Access and data control › API controls › App access controlAllow users to request access to unconfigured third-party apps = On (with the 'Apps pending review' queue actively monitored) or Off
- open ↗

https://admin.google.com/ac/owl/domainwidedelegation · captured 2026-07-15
Security › Access and data control › API controls › Manage Domain Wide DelegationRemove every client ID you cannot attribute to a current, owned integration; narrow remaining scopes to the minimum
Ongoing maintenance
- requires a human Weekly: review newly requested/configured apps and their scopes before approving.
- automatable: AI agent Weekly: scan the configured-apps list for scope creep on already-approved clients.
How to verify
From a test account, authorise a random unconfigured third-party app against Drive scopes — the consent should be refused with the admin-configured message.
Confirm no wide-open default remains: API controls should show unconfigured third-party apps = blocked (or restricted).
v0.0.3Prevent policy #19 · #37 ↗