What’s changing 

You can now block all third-party API access to Google Workspace data with a new setting. This compliments other available OAuth settings which help you control which third-party & internal apps access Google Workspace data. 

When selected, all third-party apps are denied access to Workspace and end user data, blocking all OAuth 2.0 scopes. This also means that users cannot use their Google Workspace accounts to sign into third-party apps and websites. 

Who’s impacted 

Admins and end users

Why it’s important 

This new setting adds another layer of protection over your Workspace and end user data. Not every third party application has robust security measures in place or conforms to your security policy — by restricting third-party APIs from requesting sensitive information, such as login or email scopes, you can ensure your data and user data stays secure.

When all third party API access is blocked, an app will not be able to access any Workspace user date, across web and mobile. If users try to authorize an untrusted app, they’ll see an authorization error message. Admins can customize this error message if they choose.

Getting started 

• Admins: This feature will be OFF by default and can be enabled in the Admin console by going to Security > API controls and selecting “Block all third-party API Access”. Visit the Help Center to learn more about blocking all third-party API access or controlling which third-party & internal apps access Google Workspace data.
  
  
• End users: There is no end user setting for this feature. You’ll receive an authorization error if you try to use your Google Workspace account to access an unauthorized application.

Rollout pace