Stay organized with collections
Save and categorize content based on your preferences.
Google Workspace users grant access to levels of data, known as scopes, when
they run scripts or use apps like add-ons or web apps. This page explains how
you can monitor or revoke the scopes that users grant access to within their
Google Workspace account.
Monitor OAuth grant events by scope
To view events where users grant access to a specific scope or scopes, take the
following steps:
In the Google Admin console, go to Menu
menu>Security>Security center>Investigation tool.
Click Search. A list of grant events displays for the scopes you
specified.
Revoke OAuth grants
Important: After you revoke access to a scope, users can re-grant access. We
recommend that you set up alerts for scopes that you don't want users to grant
access to so that you can revoke access as needed. Refer to Create an alert
for OAuth grants.
To revoke access to a scope, follow the steps for Monitor OAuth grant events by
scope, then select the events you want to revoke and click Revoke access
tokens for users.
Create an alert for OAuth grants
To receive an alert when someone grants access to a specific scope, follow the
steps for Monitor OAuth grant events by scope,
then take the following steps:
At the top of the search, click Create activity rule.
For Rule name, enter a name for the alert.
Click Next: View Conditions. The conditions automatically populate
from the search parameters. You can edit them if needed, then click
Next: Add Actions.
In Threshold 1, select a time frame and threshold for the rule and check
the Send to alert center box.
Click Add email recipients and enter the email addresses that should
receive alerts. Click Done.
You can restrict access to most Google Workspace services. For Gmail
and Google Drive, you can restrict access to high-risk OAuth
scopes while allowing users to give access to OAuth scopes that aren't
classified as high-risk. If an app requests access to a restricted high-risk
OAuth scope, and you haven't specifically trusted the app, users can’t authorize
it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["\u003cp\u003eThis guide explains how Google Workspace admins with specific account types (Enterprise, Education Standard, or Education Plus) can monitor and control the data access users grant to Apps Script.\u003c/p\u003e\n"],["\u003cp\u003eAdmins can monitor OAuth grant events by searching for specific scopes within the Google Admin console's Investigation tool and subsequently revoke those grants if necessary.\u003c/p\u003e\n"],["\u003cp\u003eYou can set up alerts to be notified when users grant access to certain OAuth scopes, allowing for proactive management of data permissions.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Workspace allows for restricting access to high-risk OAuth scopes for enhanced security, especially for Gmail and Google Drive, while still enabling access to lower-risk scopes.\u003c/p\u003e\n"],["\u003cp\u003eAdmins have the ability to create activity rules and manage them to define the conditions under which alerts are triggered and to whom they are sent.\u003c/p\u003e\n"]]],[],null,["# Monitor & restrict data access\n\n| **Note:** You must have an Enterprise, Education Standard, or Education Plus Google Workspace account to monitor and restrict the data access that users grant to Apps Script.\n\nGoogle Workspace users grant access to levels of data, known as scopes, when\nthey run scripts or use apps like add-ons or web apps. This page explains how\nyou can monitor or revoke the scopes that users grant access to within their\nGoogle Workspace account.\n\nMonitor OAuth grant events by scope\n-----------------------------------\n\nTo view events where users grant access to a specific scope or scopes, take the\nfollowing steps:\n\n1. In the Google Admin console, go to Menu\n menu\n \\\u003e **Security**\n \\\u003e **Security center**\n \\\u003e **Investigation tool**.\n\n [Go to Investigation tool](https://admin.google.com/ac/sc/investigation)\n2. Click **Data Source** and select **OAuth log events**.\n\n3. Click **Add condition** \\\u003e **Attribute**\n and select **Event**.\n\n4. Click **Event** and select **Grant**.\n\n5. Click **Add condition** \\\u003e **Attribute**\n and select **Scope**.\n\n6. For **Scope** , enter the scope you want to monitor. For a list of scopes,\n refer to [OAuth 2.0 Scopes for Google APIs](https://developers.google.com/identity/protocols/oauth2/scopes).\n\n7. Click **Search**. A list of grant events displays for the scopes you\n specified.\n\nRevoke OAuth grants\n-------------------\n\n**Important** : After you revoke access to a scope, users can re-grant access. We\nrecommend that you set up alerts for scopes that you don't want users to grant\naccess to so that you can revoke access as needed. Refer to [Create an alert\nfor OAuth grants](#create_an_alert_for_oauth_grants).\n\nTo revoke access to a scope, follow the steps for [Monitor OAuth grant events by\nscope](#monitor_oauth_grant_events_by_scope), then select the events you want to revoke and click **Revoke access\ntokens for users**.\n\nCreate an alert for OAuth grants\n--------------------------------\n\nTo receive an alert when someone grants access to a specific scope, follow the\nsteps for [Monitor OAuth grant events by scope](#monitor_oauth_grant_events_by_scope),\nthen take the following steps:\n\n1. At the top of the search, click **Create activity rule**.\n2. For **Rule name**, enter a name for the alert.\n3. Click **Next: View Conditions** . The conditions automatically populate from the search parameters. You can edit them if needed, then click **Next: Add Actions**.\n4. In **Threshold 1** , select a time frame and threshold for the rule and check the **Send to alert center** box.\n5. Click **Add email recipients** and enter the email addresses that should receive alerts. Click **Done**.\n6. Click **Next: Review**.\n7. Review the details and click **Create Rule**\n\nFor more information, refer to [Create and manage activity rules](https://support.google.com/a/answer/9275024).\n\nRestrict access to high-risk OAuth scopes\n-----------------------------------------\n\nYou can restrict access to most Google Workspace services. For Gmail\nand Google Drive, you can restrict access to high-risk OAuth\nscopes while allowing users to give access to OAuth scopes that aren't\nclassified as high-risk. If an app requests access to a restricted high-risk\nOAuth scope, and you haven't specifically trusted the app, users can't authorize\nit.\n\nTo restrict access to high-risk OAuth scopes, refer to [Restrict or unrestrict\nGoogle services](https://support.google.com/a/answer/7281227#restrictaccess&zippy=%2Cmanage-access-to-google-services-restricted-or-unrestricted%2Cmanage-access-to-apps-trusted-limited-or-blocked%2Cstep-restrict-or-unrestrict-google-services)."]]
