Google Workspace admins can prevent users from granting third-party OAuth apps broad access to your organization's data (Drive, Gmail, Calendar, Directory). This is a strong mitigation against token-theft attacks like the Vercel incident. Secureframe recommends enabling this restriction. The steps below also trust Secureframe's own apps so your Secureframe integration keeps working.
Step 1 - Trust Secureframe's OAuth apps
Do this first, before tightening the default policy. Otherwise Secureframe connections may break.
Sign in to admin.google.com as a super admin.
In the left navigation, go to Security → Access and data control → API controls.
Click MANAGE THIRD-PARTY APP ACCESS.
Click Configure new app → OAuth App Name Or Client ID.
Paste this Client ID and click Search:
38013396501-r6ckr41c3b79acpsa48497jcinq7jkph.apps.googleusercontent.comSelect the matching app (Secureframe) → Select.
Scope: choose Entire Org.
Access to Google Data: choose Trusted: Can access all Google services.
Click Configure.
Repeat steps 4-9 for Secureframe's Navigator privileged-setup app (only required if you plan to use Navigator's automated Google Workspace setup):
605069342650-lie315h0alnbdl4lt8uvbkm493una7rj.apps.googleusercontent.com
You should now see both apps listed as Trusted on the Third-party app access page.
Step 2 - Restrict all other third-party OAuth apps
From API controls, find the Settings section (top of the page, "App access control" card).
Under "Control which third-party & internal apps access Google Workspace data", set the default for unconfigured third-party apps to:
Allow users to access third-party apps that only request basic info (name, email address, User ID, or profile image)
This blocks any app that requests broader scopes, while still letting users sign in to benign apps with Google.
Click Save.
Step 3 - Leave Google service API access on
On the same page, under Google services:
Do not enable Block all API access.
Leave Google services (Drive, Gmail, Calendar, Directory API, and so on) set to Not restricted or their existing state.
Blocking all API access would prevent Secureframe (and other trusted apps you just configured) from working. The Step 2 setting alone is sufficient to block untrusted broad-scope apps.
Step 4 - Verify
Sign out and sign back in as a non-admin user.
Try authorizing a random third-party app that requests Drive or Gmail scopes. You should see a Google block screen with a Request access button.
If a Secureframe connection hits a block screen, re-check Step 1: the Client ID must match exactly and the access must be Trusted.