How to Audit Google Workspace OAuth App Permissions

To audit OAuth app permissions in Google Workspace, navigate to the Google Admin Console at admin.google.com, then go to Security → API Controls → App Access Control. You will see every third-party application authorised by users in your domain, the scopes it holds, and how many users have granted it access. Filter for applications with Gmail, Drive, or Calendar scopes to find the highest-risk grants. Revoke anything you do not recognise or no longer need by clicking the application and selecting "Revoke access."

Why OAuth grants matter for AI governance

When an employee clicks "Sign in with Google" on any third-party application — an AI writing tool, a meeting scheduler, a CRM integration — they authorise that application to access their Google account. Depending on the scopes the application requests, this may mean it can read all their emails, access every file in their Drive, or view all their calendar events.

These grants persist indefinitely. They are not revoked when the employee stops using the tool, when their computer is replaced, or when they leave the company (unless an admin revokes them explicitly). An OAuth audit regularly turns up grants made by employees who left the business years ago — grants that are still active and still giving the third-party application access to data in that former employee's account.

For AI governance specifically, OAuth is the most reliable way to find AI tools in use without IT approval. It does not catch everything (browser extensions use a different permission model), but it catches most SaaS AI tools.

Step-by-step: auditing OAuth grants in Google Workspace

Step 1: Access the Admin Console

Log in to admin.google.com with a Super Admin account. You need Super Admin privileges to see domain-wide OAuth grants. Individual administrators with limited roles may not have access to all of the security controls described here.

Step 2: Navigate to API Controls

In the left-hand menu, go to Security, then API Controls. You will see two main sections: "App Access Control" (which governs which apps users can authorise) and "Domain-wide delegation" (which covers service accounts with admin-granted access). For an OAuth audit, you want App Access Control.

Step 3: Review connected apps

Click Manage Third-Party App Access. This shows a list of every application that has been authorised by at least one user in your domain. For each application you can see: the application name, the number of users who have authorised it, the scopes it has been granted, and whether it is on your approved list (if you have configured one).

Step 4: Filter for high-risk scopes

Use the filter options to focus on applications with sensitive scopes. The scopes to prioritise are:

• Gmail API scopes (gmail.readonly, gmail.modify, mail.google.com) — gives read or write access to all email
• Drive API scopes (drive, drive.readonly, drive.file) — gives access to Google Drive files
• Calendar API scopes (calendar, calendar.readonly) — gives access to calendar events and meeting details
• Contacts/People API scopes — gives access to contacts and directory data
• Admin SDK scopes — should only ever be held by explicitly authorised applications; any unexpected entries here are serious

Step 5: Identify and investigate unknown applications

Cross-reference the list against your approved AI tools list. For each application you do not recognise or have not approved: research the application (what does it do, who makes it, what does its privacy policy say about data handling), check how many users have authorised it, and assess what data it can access via the scopes it holds. Prioritise investigation based on scope sensitivity and user count.

Step 6: Revoke unsanctioned access

For applications you decide to revoke: click the application name, select Change access, and choose Blocked. This revokes access for all users who have authorised it and prevents future authorisations. If you want to revoke only specific users rather than all, you can do that from the user detail page in the Admin Console (Users → select user → Security → Third-party access).

Step 7: Set access policy for future authorisations

Under Security → API Controls → App Access Control, configure who can authorise third-party apps. The options range from "allow all apps" to "only trusted apps." For most businesses with an active governance programme, setting this to require admin approval for apps with sensitive scopes is the right balance. You can configure this at the domain level or by organisational unit.

High-risk scope reference

Not all OAuth scopes carry the same risk. Applications that only request openid, email, and profile (used to verify your identity) are low risk — they cannot read your emails or files. Applications that request Gmail or Drive scopes can access far more than the employee intended when they clicked "Allow."

How Governably automates this

Governably connects to your Google Workspace environment via admin-level OAuth and automatically pulls your full OAuth grant list, cross-references it against a database of known AI tools and their risk classifications, and surfaces the highest-risk grants as prioritised remediation tasks. You see a clear list of what to review and revoke, without spending time in the Admin Console navigating to the right screens.

Frequently asked questions

Where do I find OAuth app permissions in Google Workspace?

Navigate to the Google Admin Console at admin.google.com, then Security → API Controls → App Access Control. This shows every third-party application authorised by users in your domain, the scopes it holds, and how many users have granted it access.

What are high-risk OAuth scopes in Google Workspace?

The highest-risk scopes grant access to email (Gmail API), calendar events, Drive files, and contacts. An application with gmail.readonly scope can read every email in the authorised user's inbox — including confidential and personal data.

Can I restrict which apps users can authorise in Google Workspace?

Yes. Under Security → API Controls in the Admin Console, you can require admin approval for apps with sensitive scopes, creating an allowlist approach that prevents employees from authorising new AI tools without IT review.

How do I revoke an OAuth grant in Google Workspace?

In Admin Console → Security → API Controls → App Access Control, find the application, click it, and use "Change access" to block it. This revokes access for all users and prevents future authorisations across your domain.