As a Google Workspace for Education administrator, balancing user productivity with strict data security is a constant challenge. Previously, when users connected third-party applications to their institutional accounts, those apps often requested broad, all-or-nothing access to Google data.
To give you more granular control, the Configure third-party apps by selecting API scopes feature allows administrators to restrict third-party applications to only the specific OAuth scopes required for their educational utility. Instead of blindly accepting an app's default developer requests, you can now curate exactly what data an app can and cannot see, significantly reducing your institution's attack surface.
What You Will Learn
By the end of this guide, you will understand:
Our recommendation for rolling out this featureÂ
The specific requirements needed to deploy this feature
How to configure specific API scopes for third-party apps in your Google Admin consoleÂ
How this changes the end-user authorization experience
Recommendation
To successfully roll out this feature, we recommend evaluating your app management and examining how your ecosystem's data permissions change, adapt, and accumulate over time.
- The Present (Granular Intervention): Apply this feature to newly requested or high-risk apps immediately. Move away from a binary Trust/Block mindset to a Trust with Minimum Privilege approach.
- The Future (Continuous Lifecycle Management): Treat app permissions as a living configuration. As third-party developers update their apps over time, periodically revisit your Admin Console to ensure their active scopes still align with your institution's evolving compliance guidelines.
Prerequisites & Supported Platforms
Before configuring this setting, ensure your environment meets the following criteria:
- Supported Workspace Editions: Education Fundamentals, Education Standard, Teaching & Learning Upgrade, Education Plus.
- Supported Platforms: ChromeOS, Chrome for Desktop, Chrome for Android, Chrome for iOS.
Configuration Settings
Security > Access and data control > API controls > App Access Control > [select app] > Access to Google Data
- Setting Name: Specific Google data
- Setting Values: Varies by app (Admin-selected OAuth scopes)
-
Google Default Setting: Not set. (By default, apps will automatically request all developer-specified scopes unless you intervene).
How It Works
Step-by-Step Admin Setup
- Log into your Google Admin Console.
- Navigate to the App Access Control path listed above.
- Select the third-party application you wish to configure (or add a new one via its OAuth Client ID).
- Under the app's permission settings, locate the Specific Google data configuration.
- Click the # scopes to review the list of OAuth scopes the developer has requested.
- Uncheck or restrict the scopes that are unnecessary for your school’s use case, and save your changes.
The End-User Experience
When a student or teacher attempts to log into the third-party app using their school Google account, Google checks your admin configuration in real time:
- If an app requests an approved scope: The user is prompted to allow access normally.
- If an app requests a restricted scope: The user will see a clear message indicating that their administrator has disabled that specific data permission, preventing the over-sharing of institutional data while still allowing the core app to function if possible.
Comments
Please sign in to leave a comment.