Google is working with app developers to make sure that third-party apps comply with Google privacy and security requirements. Third-party apps that haven’t completed a verification process are “unverified” and might be subject to restrictions.
Which unverified third-party apps are subject to restrictions?
Unverified third-party apps that access Gmail data and have more than 100 users worldwide are subject to restrictions.
Currently, unverified third-party apps with fewer than 100 users worldwide, apps internal to your domain, and unverified third-party apps that access data for Google services other than Gmail aren’t subject to restrictions.
What does this mean for my organization?
If your organization has users who currently run unverified third-party apps, those unverified apps will continue to work as expected. However, any new installations of unverified third-party apps that are subject to restrictions will be blocked—unless you indicate that the app is trusted.
Review your third-party apps
You might have received email from Google advising you of this change, containing a list of your unverified third-party apps. Review this list and decide which apps you want to trust and allow users to install.
If you weren't contacted, it’s still a good idea to review your third-party apps using these
best practices.
If you have unverified third-party apps
If you decide to let users install new instances of unverified third-party apps that are subject to restrictions, you must first put them on an
allowlist of trusted apps.
If you have unverified third-party apps that aren't subject to restrictions, we recommend that you also put these apps on an allowlist of trusted apps.
What about internal apps?
We recommend trusting internal apps that are built in-house or apps that you installed from a trusted source, such as a developer hired by your organization.
You can trust internal apps created in your organization automatically in the Google Admin console.
About trusted third-party apps
When you trust a third-party app, it will have access to some Google Workspace user data (OAuth2 scopes) that you have otherwise restricted. For example, if you have generally blocked access to Gmail OAuth2 scopes, apps on your allowlist will still have access to Gmail.
FAQ
Why would a third-party app be unverified?
An app might not have completed the verification process for various reasons, such as using an unsupported
application type, or using data in a way that’s incompatible with
limited use requirements.
Google implemented this verification process to help provide confidence and consistency with your privacy expectations.
If I'm an app developer as well as a user, how do I get a third-party app verified?
What will happen to unverified third-party apps?
Users who currently run unverified third-party apps can continue to use them, unless you restrict access to Google Workspace APIs.
New users won’t be able to install unverified third-party apps that are subject to restrictions—unless you first put them on an
allowlist of trusted apps.
What happens when I trust a third-party app?
Users who don't already have the app will be able to install it, whether or not the app is verified. Additionally, it will have access to any Google Workspace APIs (OAuth2 scopes) that you restricted using the
API Permissions settings.