Control access to apps based on user & device context

Assign access levels to third-party apps

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can assign Context-Aware Access levels to all internal and third-party OAuth apps that use “Sign in with Google.” You can control access by user identity, device security status, IP address, and geographical location.

Note: Context-Aware Access rules are applied only when a user signs in through Google. After a user is successfully signed in, the third-party app controls the session. Therefore, if the user's access conditions change later, Context-Aware Access won't block the active session. The user would only be checked against the Context-Aware Access policy again during their next sign-in attempt.

When you assign access levels…

Users are granted access to the app when they meet the conditions specified in one of the access levels you select (it’s a logical OR of the access levels in the list). If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels. If you want to assign more than 10 access levels for an app, you can use nested access levels.

Assign Context-Aware Access levels to third-party apps

Before you begin: If needed, learn how to apply the setting to a department or group.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Access and data control > Context-Aware Access.

    Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.

  3. Click General Settings.
  4. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  5. In the Access levels for OAuth apps section, click Edit .
  6. Choose the access levels you want to apply to internal and third-party OAuth apps using Google sign-in:
    • Active mode: Blocks access to apps that don't meet the access levels
    • Monitor mode: Logs access attempts that don't meet any of the selected access levels, but doesn't block access
  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

You’re returned to the Access levels for OAuth apps section that shows the access levels applied to all internal and third-party OAuth apps in both monitor and active mode.

Related information

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
15631904821823513568
true
Search Help Center
false
true
true
true
true
true
73010
false
false
false
false