While useful and convenient, OAuth-based third-party app integrations in your Google Workspace can present security risks if left unchecked. Performing a Google OAuth permission review regularly is essential in ensuring that your organization and client data remain safe and protected.
Regularly auditing which applications have access to your Google Workspace can prevent unauthorized data access and lateral movement. It also identifies unused applications that still have risky, high-scope permissions and ensures your organization is compliant with security protocols, such as HIPAA, SOC 2, ISO 27001, etc.
Different ways to create an OAuth token audit log
The most efficient way to audit and remove Google third-party app tokens is through the Google Admin Console. Administrators can also export app access details using command-line and PowerShell tools.
📌 Prerequisites:
- You will need a Google Workspace Admin or Super Admin account.
- Access to Google Admin Console or Google Workspace Admin SDK is required.
- PowerShell 7+ with Google APIs enabled is required, especially if you’re exporting data.
- Optional: Google Cloud project with OAuth token review enabled
- Optional: NinjaOne or other RMM tools to tag, monitor, and report device and user app usage
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Use Google Admin Console to audit OAuth apps | ✓ | |
| Method 2: Export app access details using Google Workspace Reports API | ✓ | |
| Method 3: Identify and remove risky or inactive apps | ✓ | |
| Method 4: Tag or log OAuth app findings in Registry (For RMM visibility) | ✓ |
Method 1: Use Google Admin Console to audit OAuth apps
- Open your preferred browser.
- Go to admin.google.com.
- Navigate to this location: Security > Access and data control > API controls > App access control.
- View the list of third-party apps that have access to your Google Workspace data.
- Review the list of OAuth scopes requested.
- Identify the applications with sensitive scopes. Here are some things to look out for:
- Applications with full access to Gmail (gmail.modify, gmail.compose)
- Applications with drive write or sharing permissions
- Applications that use admin-level APIs like admin.directory.user.readonly
Method 2: Export app access details using Google Workspace Reports API
Option 1: Using Google Apps Manager
Google Apps Manager is a command-line tool that allows you to access Google Workspace tools.
💡Note: Google Apps Manager needs access to Google’s APIs to work. To make sure it does, go to your Google apps admin console > Security > API reference and click Enable API access > Save Changes.
- Open the Start Menu and search for Command Prompt.
- Right-click Command Prompt > Run as administrator.
- Type gam and press Enter. This will run Google Apps Manager. If it’s your first time using it, Command Prompt will guide you through giving it the required permissions and credentials.
- Type gam report tokens and press Enter. This will generate the following information:
- App name
- Client ID
- User it’s authorized under
- OAuth scopes
- Last used timestamp
- To export the data into a CSV file, type gam report tokens > oauth_tokens.csv and press Enter.
Option 2: Use Windows PowerShell with Google API client
📌 Prerequisite: Google API .NET client libraries must already be installed in Windows PowerShell.
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- This is a sample script you can run:
| Invoke-RestMethod -Uri “https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token” -Headers @{ Authorization = “Bearer <access_token>” } |
Replace <access_token> with the access token for your account.
Method 3: Identify and remove risky or inactive apps
- Open your preferred browser.
- Go to admin.google.com.
- Navigate to this location: Security > Access and data control > API controls > App access control.
- Click on each third-party application and review its scope usage, and which users authorized the application.
- Block applications that don’t comply with your organization’s security policies. To block applications, click Change Access > Block Access.
Method 4: Tag or log OAuth app findings in Registry (for RMM visibility)
You can record information regarding your app permission audit in the Windows Registry and use your RMM tool to track, verify, and update the data.
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type this command and press Enter:
| New-Item -Path “HKLM:\SOFTWARE\Org\OAuthAudit” -Force Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\OAuthAudit” -Name “LastAuditDate” -Value (Get-Date).ToString(“u”) Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\OAuthAudit” -Name “FlaggedApps” -Value “Dropbox, SlackBot” |
- To verify the information in the Registry keys, open Command Prompt with elevated permissions.
- Type this command and press Enter:
reg query HKLM\SOFTWARE\Org\OAuthAudit
⚠️ Troubleshooting/Things to look out for
Issues | Potential Consequences | Fixes |
| The application reappears even after you blocked its access. | The application will still have access to data you don’t want it to have. | Users may still have cached tokens. Revoke these tokens by going to Google Admin Console > Security > Manage third-party access. |
| Data is missing in Google Apps Manager. | You won’t have accurate data for your third-party app permission audit. | Make sure that Reports API is enabled and that Google Apps Manager has delegated admin rights. |
| There are no OAuth logs. | You won’t be able to perform the third-party app audit. | Make sure that audit log retention is active in Google Admin Console. The logs will only start after you activate this feature. |
| You cannot find the token cache. | You won’t be able to perform the third-party app audit. | The token cache may be stored in browser sessions or cloud-managed. You can verify this information in Reports API. |
Additional considerations when creating an OAuth token audit log
- Many third-party OAuth tokens do not expire unless revoked. If you don’t want that application to access Google Workspace anymore, you have to actively revoke its permissions.
- OAuth scopes can be expanded after authentication without any notification. Make sure to perform audits regularly to ensure that application only have permissions allowed by your organization’s security protocols.
- End users may accept app scopes and permissions without understanding the risks. Regularly auditing application scopes and permissions will prevent any security breaches.
- Apps with device-based permissions may re-authenticate without notification. You have to block them at the admin level.
NinjaOne services to help audit the permissions of Google third-party apps
NinjaOne can assist IT administrators when auditing the permissions of Google third-party apps in Google Workspaces by:
- Tagging devices with OAuth tokens or related Registry keys
- Deploying scripts that can identify Google token artifacts on your endpoints
- Alerting administrators if there are high-risk applications found on user profiles or credential stores
- Performing a Registry scan and reporting the application footprint of each device and user
- Automating remediation, such as removing local application clients or clearing stored tokens when necessary
Protect your organization’s data by auditing third-party OAuth permissions regularly
Auditing third-party OAuth permissions in Google Workspace is a critical part of maintaining cloud security hygiene. It ensures that no application has more permissions than necessary and protects your organization and client data from security breaches.
Related links:
