Third Party Apps Audit



What is a Third Party Apps Audit?

Third Party Apps Audit allows an Admin to take action (revoke or approve access) on multiple third party apps that have been installed by users or Admins within their domain.

  • Third Party Apps Audit is available to use in the Google Apps section of BetterCloud
  • All Apps that have been installed and authorized by a user on your domain are available to conveniently view and manage all from one place

Note: Only apps that require authentication will show in Third Party Apps Audit



To sync your Apps, please click on the sync button pictured here.


What can Third Party Apps Audit do?

  • Enables an Admin to view all third party apps that have been installed by users and Admins on your domain
  • Allows an Admin to approve or revoke access/authorization to certain apps by organizing them as one of the following:
    1. Block List
    2. Allow List
    3. Unresolved
  • This feature also allows an Admin to view the users who have installed and provided authorization to each app
  • Creates an organized list and view of what Apps have been authorized by users or admins
  • Gives ability to view Permissions for each App:
    1. Drive - read/write
    2. Directory - read/write
    3. Email - read/write
    4. Domain - read/write
    5. Account - read/write
    6. Other - read/write
  • Some applications require app-specific passwords. BetterCloud allows you as the admin to determine which users have set these up on their applications

Browsing Apps

You are able to view all of the apps installed on your domain in one place in BetterCloud. While browsing, you can also view key information on each app as well as take action (revoke or approve access).

  1. You are able to organize all of your apps into a set of 4 lists. These lists track what apps you have approved or revoked access to (*deeper dive into each access setting/list in section 3):
  2. Filters are available to sort through all of the Installed Apps on your domain. You can filter by:
    • Permissions Granted
    • App Name
    • Permission Score
    • Domain Wide Access
    • App ID
  3. Export to spreadsheet
  4. Perform actions on the selected app(s)
    • Allow List: Allows users on the domain to install and use the application
    • Allow List & Notify Users: Allows users on the domain to install and use the application and sends a customized email
    • Block List: Revokes access to application for all users who install it
    • Block List & Notify Users: Revokes access to application for all users who install it and sends a customized email
    • Notify Users: Customize emails to users who have installed the app
  5. App Name
  6. Permission Score/Permissions
    • Permission score is a number between 1 (least) and 10 (most) that ranks the amount of access an application requires to the domain or user account
  7. Whether or not an app was installed by a G Suite Super Admin
  8. Number of installs
  9. Whether or not an app is set to send notifications when it's installed
  10. Take action on apps:

=Allow =Block Image_2020-07-21_at_3.15.53_PM.png=Notify


Managing Access to Apps On Your Domain

You are able to approve or revoke access to all of your apps into a set of 4 lists that track what apps you have approved or revoked access to.

As an Admin, you are able to go into each list and manage all of the apps installed in your domain in one central location, in an easy and well organized way.

  1. Block Listed: These are the apps that you have revoked access from for your domain users
    • Putting an app in this list removes the authentication for the app
    • The user may still be able to access the app, however, it will no longer have access to their account. In this case, they will be prompted to reauthenticate after navigating to specific areas of the app.
    • Once access has been revoked, a user can reinstall the app, however authentication will be revoked again on each sync.
      Please note: If a user was manually revoked on the apps detail page or the user detail page, you will need to revoke access again if the user re-installs the app.
  2. Allow Listed: Apps in this list have been approved by you and users are able to log in and use
    • These are the apps that you proactively choose for users to have access to
    • This will not automatically grant your users access these apps
  3. Unresolved: If an app is listed here, it means you have not reviewed it yet for the Blocked or Allowed list
    • This list serves an easy way to stay on top of what apps you still need to take action on
    • All newly installed apps would appear here (before they are Blocked or Allowed)
    • Users are able to log in and use all apps on this list, so make sure to check in and review these apps
  4. All Apps: view of all three of the above lists combined, essentially a total list of all apps used by your domain

You can also mark an app as Allowed, Blocked, or Unresolved on the individual app’s page.


App View

By clicking into an app, you have the ability to view the app details as well as its usage on your domain. You are able to:

  1. View app name
  2. View and change app status - unresolved, allowed, or blocked
  3. View permissions granted to app and permission score
    • Shows if the app can read and/or write to certain areas of your Google account
  4. Add notes
  5. Export data to a spreadsheet
  6. Revoke access from selected user(s)
  7. View all users that have installed app
  8. Take actions
  9. View Domain Access

User View

You are able to view all of the apps a user has installed and authenticated on their user profile. Here you can:

  1. Filter apps
    • By permissions granted - what areas the apps have access to (i.e. Drive, Email, etc)
    • By app name
  2. Export to spreadsheet
  3. Revoke access from selected user(s)
  4. View app name
  5. View date discovered - date BetterCloud discovered the installation after a sync

App-Specific Passwords

App-specific passwords is a feature created by Google to provide an extra layer of security to your account for users enrolled in “2-Step Verification”. In BetterCloud, you can manage these passwords for every user.

  1. Filter by user’s name
  2. Export to spreadsheet
  3. View user who installed the app/password
  4. View application name
    • Note: A user can title their application specific password whatever they want, this title may be misleading and may not be a true representation of the application
  5. View date password was created
  6. View date app was last used
  7. Remove authentication

Note: An Admin can only delete a password, they cannot create one.

App Policies

BetterCloud also allows you to create policies to manage third party apps installed on your domain by your users. These policies can keep your domain secure by automatically revoking access to the account or domain associated with the application. Policies can also notify users if they install a potentially risky application. To learn how to set up an App Policy CLICK HERE!

Scopes Summary

Click here to see all the different scopes that an application may request access to and what they mean.


Apps will only display in Apps Audit if the application requests some level of access to your domain. Apps that require access to your domain will display a pop-up (shown below) when installing.


Google Related Articles

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request