The “Sign in with Google” button is everywhere. Nearly every educational tool and platform offers this incredibly convenient method of registration, however it also means that more and more applications have access to your data.
If your API Access Control isn’t configured correctly, clicking that button might be handing over the keys to your domain’s files, emails, and directory. To help you regain control without breaking classroom instruction, here is a practical strategy to block third-party apps in Google Admin and manage the “Sign in with Google” experience in your district.
Using “sign in with Google” is much BETTER than directly handing out your username and password to dozens of sites. This feature also gives IT admins the ability to view and revoke access to applications that don’t meet your privacy standards.
Thankfully, Google has centralized the “sign in with Google” policies within the Google admin console: Security > Access and data control > API controls
This section allows you to review, configure, and manage the applications that staff and students are connecting to their district account.
Here is what you need to know to keep your data secure without breaking the tools your teachers love.
The 10-Minute API Audit
Before you change any policies, you need to see what’s actually happening in your domain. Reviewing the existing tools being used by staff members will help you determine if things are going well, or if you have a big problem on your hands.
- Go to Security > Access and data control > API controls.
- Click Manage Third-Party App Access.
- Look at the “Accessed apps“ list.
This is one of the reports that I include during my Google Admin Audits. Nearly every time I run this report I discover teachers who have connected their school accounts to coupon-clippers, fast-fashion apps, or sketchy AI headshot generators. 😬
Now that you have a sense of how your data is being used, let’s look at your default policies.
Third-party Access for students
First, let’s look at our student policy: Security > API controls > Settings > Unconfigured third-party apps > Settings for user under 18
My Recommendation: Block third-party apps in Google Admin for students
Before changing this policy, be sure to configure applications that are frequently used in your district (Kami, Pear Deck, Wayground, Kahoot, etc). Just look at the top 10-20 apps listed on your app audit.
Warning: you will get a lot of complaints from students once they realize they can’t access many of their non-educational applications! 😃
Managing Staff Access
Managing staff access is more challenging. While we don’t want to create roadblocks for professional use, we also need to protect district data from applications that harvest information. This includes common “consumer” apps like Temu, Shein, Instagram, Facebook, Honey, etc.
The API controls section lets you restrict access to data in specific applications, like Gmail, Drive, and Calendar. Since that is where your most sensitive information is likely to be stored, I recommend configuring your core Google services as “restricted.” Third party access to this data will require explicit approval from the IT department.
Security > API controls. > App Access control > Manage Google Services
With this policy enabled, you can now configure your staff access to “Allow apps that only request basic info.” This allows teachers the flexibility to use “Sign in with Google” for simple site registrations, but block third-party apps that request deeper permissions.
Approving App Requests
If a teacher or student attempts to access an app that is restricted, they will receive a message that looks like this:
I recommend that you ALLOW staff and students to request access to unconfigured apps. This makes it much easier to identify and approve (or block) apps that are in high-demand. When you visit the API controls page, you will be able to see apps pending review.
You might consider creating a custom Gemini Gem to help you review and evaluate the apps requested by teachers and students.
The sign in with Google button provides visibility into what applications are requesting access to your data, giving you an opportunity to make a purposeful choices about what tools to approve or deny.
Learn more about this topic:
Reader Interactions