Monitor & restrict data access

Note: You must have an Enterprise, Education Standard, or Education PlusGoogle Workspace account to monitor and restrict the data access thatusers grant to Apps Script.

Google Workspace users grant access to levels of data, known as scopes, whenthey run scripts or use apps like add-ons or web apps. This page explains howyou can monitor or revoke the scopes that users grant access to within theirGoogle Workspace account.

Monitor OAuth grant events by scope

To view events where users grant access to a specific scope or scopes, take thefollowing steps:

  1. In the Google Admin console, go to Menu>Security>Security center>Investigation tool.

    Go to Investigation tool

  2. ClickData Source and selectOAuth log events.

  3. ClickAdd condition>Attributeand selectEvent.

  4. ClickEvent and selectGrant.

  5. ClickAdd condition>Attributeand selectScope.

  6. ForScope, enter the scope you want to monitor. For a list of scopes,refer toOAuth 2.0 Scopes for Google APIs.

  7. ClickSearch. A list of grant events displays for the scopes youspecified.

Revoke OAuth grants

Important: After you revoke access to a scope, users can re-grant access. Werecommend that you set up alerts for scopes that you don't want users to grantaccess to so that you can revoke access as needed. Refer toCreate an alertfor OAuth grants.

To revoke access to a scope, follow the steps forMonitor OAuth grant events byscope, then select the events you want to revoke and clickRevoke accesstokens for users.

Create an alert for OAuth grants

To receive an alert when someone grants access to a specific scope, follow thesteps forMonitor OAuth grant events by scope,then take the following steps:

  1. At the top of the search, clickCreate activity rule.
  2. ForRule name, enter a name for the alert.
  3. ClickNext: View Conditions. The conditions automatically populatefrom the search parameters. You can edit them if needed, then clickNext: Add Actions.
  4. InThreshold 1, select a time frame and threshold for the rule and checktheSend to alert center box.
  5. ClickAdd email recipients and enter the email addresses that shouldreceive alerts. ClickDone.
  6. ClickNext: Review.
  7. Review the details and clickCreate Rule

For more information, refer toCreate and manage activity rules.

Restrict access to high-risk OAuth scopes

You can restrict access to most Google Workspace services. For Gmailand Google Drive, you can restrict access to high-risk OAuthscopes while allowing users to give access to OAuth scopes that aren'tclassified as high-risk. If an app requests access to a restricted high-riskOAuth scope, and you haven't specifically trusted the app, users can’t authorizeit.

To restrict access to high-risk OAuth scopes, refer toRestrict or unrestrictGoogle services.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-06-04 UTC.