top of page

Protecting Google Data via API Controls

  • Writer: Brady Woudstra
    Brady Woudstra
  • 2 days ago
  • 2 min read

If you’re using Google Workspace, there’s a security setting that most organizations never review and it directly controls who can connect third-party apps to your company data.


It’s the control behind “Sign in with Google” option that almost all web (SaaS) apps leverage for Google sign-ons.


Unfortunately, the simple button can quietly open the door to:

  • External SaaS accounts tied to your company identity

  • Access to Google Drive files

  • Access to Gmail inboxes

  • Access to contacts and calendar data


If left unmanaged, this becomes what’s often called Shadow IT.


The good news? Google gives you control.


Why This Setting Matters


When an employee clicks “Sign in with Google,” they are using OAuth (which is a trusted authentication method).


The challenge is who decides what gets connected to your data.


Without guardrails:

  • Staff can unknowingly grant full Drive access to your SaaS tools

  • Departed employees may leave behind unmanaged SaaS accounts

  • You lose visibility into your true data exposure


For regulated industries (CPA firms, healthcare, legal, financial services), this becomes a compliance and data governance concern quickly.


Inside the Google Admin Console, you’ll find app access control settings with two main protective options.


The Security Control You Should Review Today


Option 1: Allow Sign-Ins, but Require Admin Approval for Data Access

With this setting:

  • Users can create accounts using “Sign in with Google”

  • BUT if the app requests access to Gmail, Drive, Calendar, or Contacts, it must be approved by an admin


Security impact:You maintain control over company data, even if users experiment with new SaaS tools.


For most organizations, this is what we recommend. It balances usability with data governance controls.


Option 2: Require Admin Approval for All “Sign in with Google” Apps

This is the more locked-down approach.


With this setting:

  • Users cannot use “Sign in with Google” at all without admin approval

  • No SaaS account can be created using company identity unless reviewed


Security impact:You eliminate uncontrolled SaaS sprawl and maintain centralized identity governance.


This is ideal for:

  • CPA firms

  • Healthcare providers

  • Legal offices

  • Organizations handling confidential client information


Here are a few screenshots on how to access the controls via the Admin Console (admin.google.com).


How to access the main API Control Settings
How to access the main API Control Settings
Your 2 options along with granting ability for users to request application approvals.
Your 2 options along with granting ability for users to request application approvals.
You can manage the application access and requests
You can manage the application access and requests
You can view pending requests, configured apps, and all apps.
You can view pending requests, configured apps, and all apps.

A Practical Recommendation

For most small to mid-sized businesses:

  1. At minimum, require admin approval for apps requesting Google data

  2. Periodically review connected OAuth applications

  3. Consider full sign-in approval requirements if you operate in regulated industries

This is a small configuration change with meaningful impact.


Final Thought

Cybersecurity isn’t always about buying new tools.


Sometimes it’s about reviewing the settings in the tools you already own. Google Workspace has powerful protections built in but only if you enable them intentionally.


If you’d like help reviewing your Google Workspace security posture, you can schedule a conversation here: Schedule a free consultation

 
 
bottom of page