Documentation
Start typing to search…

List Connected Applications

🧾 Definition

The "List Connected Applications" action retrieves a list of third-party applications that a specified user has authorized to access their Google Workspace account. It returns detailed information about the applications, such as the Client ID, Scopes (permissions granted), whether the application is a native or web-based app, and more. This action is useful for auditing and managing the integrations a user has with external applications, ensuring compliance, and maintaining security by identifying and reviewing authorized third-party connections. With this information, administrators can monitor application access and take appropriate action, such as revoking access if necessary.


Example Use Cases

Audit User-Granted Application Access

Easily retrieve and review all third-party applications that a user has granted access to within their Google Workspace account, ensuring that only trusted applications are authorized.

Security Compliance Monitoring

Monitor and enforce security policies by listing all connected applications and reviewing their scopes, ensuring they meet organizational security standards and regulations.

Revoke Unnecessary or Risky Applications

Identify outdated or potentially insecure applications that no longer need access to user data, and take immediate action to remove or revoke the permissions granted to these applications.

User Account Review

Periodically review user accounts to ensure that no unauthorized third-party applications have been granted access to sensitive company data, helping maintain privacy and compliance.

Reporting and Analysis

Generate reports of all connected applications for auditing purposes, providing transparency to internal stakeholders or compliance auditors on the integrations and permissions in place within your Google Workspace environment.


Inputs

Connection

This field is used to establish a connection to your Google Workspace Administration. It is a required field where you must upload a Google service account credential JSON file with domain-wide delegation enabled. This allows Zenphi to securely interact with your Google Workspace resources on your behalf. The connection provides Zenphi with the necessary authorization to access and manage user data and settings within your Google Workspace account.👉 *How to create this connection

Admin Email Address

This field refers to the email address of the Google Workspace super administrator. The super administrator is required for performing administrative actions within the domain. The provided admin email will be used to authenticate the request and impersonate the admin, granting Zenphi the necessary permissions to access the requested data for the target user.

Target User Email Address

This field allows you to specify the email address of the user whose connected applications you want to list. This is the user whose tokens have been issued to third-party applications. You can provide the primary email address or alias of the user to retrieve their connected applications. It ensures that the action focuses on retrieving data for the specified individual user.


Outputs

Client ID

This field returns the Client ID of the application that was issued a token by the specified user. The Client ID is a unique identifier for a third-party application that has been granted access to the user’s Google Workspace account. It helps you track and identify which specific applications have access to user data.

Scopes

This field provides a list of authorization scopes that the third-party application has been granted. Scopes define the level of access the application has to user data. For example, a scope could allow an app to access a user’s email, calendar, or Google Drive. The scopes help administrators understand what permissions the connected application has and what data it can access.

User Key

The User Key is the unique identifier for the user who issued the token. This ID is essential when managing user-specific access to third-party applications. It allows administrators to correlate tokens with the user who authorized the connection, enabling better management and security practices.

Anonymous

This field indicates whether the application is registered with Google. It returns a true/false value. If true, it means the application has an anonymous Client ID, which is typically used for applications that are not officially registered with Google. This is useful for identifying unregistered or less trusted applications that are using Google Workspace resources.

Display Text

The Display Text field provides the displayable name of the third-party application that the token was issued to. This is the name shown to the user or administrator, making it easier to identify the application that is accessing the user’s data.

Native App

This field indicates whether the token was issued to a native application, which means the application is installed on a user's device (desktop or mobile). If this value is true, the application is a native app; if false, it’s a web application. This distinction helps in managing and identifying how and where the application is being used.

Kind

This field always returns the value admin#directory#token, which signifies the type of API resource. It helps developers and administrators understand that the response is related to a directory token and not any other kind of resource in the Google Admin SDK.

ETag

The ETag is a unique identifier used for concurrency control. It ensures that any changes made to the resource are properly tracked. ETags help with cache validation and can be used to determine if the resource has changed since it was last fetched, improving performance and consistency.


Example Scenario: Monitoring Third-Party Application Access

**Situation:**A Google Workspace administrator wants to review which third-party applications are accessing user data across their organization. Specifically, they want to monitor tokens issued to a particular user to ensure only authorized applications have access and that sensitive data is protected.

Steps to Set Up the Flow:

  1. Set Up the Connection:The administrator sets up a Google Workspace Administration connection in Zenphi. This connection requires uploading a credential JSON file for a service account with domain-wide delegation. This allows Zenphi to securely interact with the Google Admin resources on behalf of the organization.

  2. Provide Admin Email:The administrator enters their Admin Email Address in the input field. This email should belong to a super administrator account in Google Workspace, granting them the necessary permissions to access user data and manage application tokens.

  3. Provide User's Email Address:In the Target User Email Address field, the administrator specifies the email address of the user whose third-party application access they want to review. This can be any user within the organization.

  4. Run the Flow:When the flow is triggered, Zenphi will fetch a list of tokens that the specified user has issued to third-party applications.

  5. Review the Output Data:The flow will return a list of application tokens along with key details, such as:

    • The Client ID of each application.
    • The authorization scopes granted to the application.
    • Whether the application is registered with Google (via the Anonymous field).
    • Whether the application is installed natively (via the Native App field).
    • The Display Text for easy identification of the application.

  6. Action on Results:With this information, the administrator can review the scope of access for each application. If they find any untrusted or unnecessary applications, they can take actions like revoking access or disabling certain permissions, either manually or through automated flows.

Example Outcome:The administrator might find that an outdated mobile app (native app) is accessing sensitive data and revoke its access to ensure better security. Alternatively, they could identify applications with excessive scopes and adjust permissions, ensuring that only necessary access is granted to third-party applications.

This setup helps ensure that user data is only accessible to trusted applications and enables the administrator to stay on top of external integrations within the Google Workspace environment.

Updated about 17 hours ago