🧾 Definition

The "Remove Connected Application" action allows Google Workspace administrators to revoke all access tokens that a specified user has issued to a particular third-party application. By identifying the application's Client ID, the action ensures that the app loses all previously granted access to the user’s account, enhancing security and administrative control. This is especially useful for managing unauthorized apps, revoking access after employee offboarding, or enforcing compliance policies across the organization. It enables real-time, targeted revocation of OAuth 2.0 tokens without impacting other services.

Example Use Cases:

Offboarding a Departed Employee

Revoke third-party application access from a former employee’s account to prevent unauthorized usage of corporate data after departure.

Revoking Access to Suspicious Applications

Immediately disable access for apps flagged as suspicious or non-compliant with company policy by removing their access tokens.

Security Breach Containment

During a security incident, quickly remove access for a potentially compromised application across specific user accounts.

Enforcing Approved App Policies

Ensure users only use pre-approved third-party tools by programmatically removing any connected applications that don’t match a trusted client ID list.

Compliance and Audit Cleanup

Regularly audit and clean up outdated or unused app connections from user accounts to maintain a secure and compliant environment.

Input :

Connection

A required Google Workspace Administration connection.To authorize this action, you must set up a Google service account with domain-wide delegation and upload the corresponding credential JSON file. This allows Zenphi to securely act on behalf of your Google Workspace admin to manage user and application access. 👉 How to create this connection

Admin Email Address

The email address of a super admin in your Google Workspace domain.This admin identity is used to impersonate and authorize the action, ensuring the required privileges are in place for managing application access across users.

Target User Email Address

The email address of the user whose connected application access you want to remove.This must be a valid user in your Google Workspace domain. The action will remove all access tokens that this user has granted to the specified application.

Client ID

The OAuth 2.0 client ID of the third-party or internal application you want to disconnect from the user’s account.Each application that integrates with Google APIs has a unique client ID. You can find this in the Google Admin console under Security > API Controls > App Access Control or from application documentation. Providing the correct client ID ensures the exact app is disconnected.

📘 Example: Disconnecting Access to a Third-Party Application

Scenario:

Let’s imagine an employee at your company, John, has authorized a third-party CRM tool to access his Google Workspace account. However, as part of a security audit, your company has decided to revoke access for this CRM tool across all users to prevent unauthorized data sharing.

As the Google Workspace admin, you want to ensure that John’s CRM application access is removed immediately to maintain security and compliance.

Steps:

Set up the Connection:You have already created a Google Workspace Administration connection in Zenphi by uploading your service account credential JSON file with domain-wide delegation, as described in the connection creation guide.
Provide Input Fields:You will provide the necessary inputs for the action:
- Admin Email Address: Enter your admin email (e.g., [email protected]), which will be used to authorize the action.
- Target User Email Address: Enter John’s email address (e.g., [email protected]), as this is the user whose CRM application access you are going to revoke.
- Client ID: Provide the Client ID for the CRM application (e.g., 12345abcde.apps.googleusercontent.com), which is the unique identifier for the CRM tool in Google’s OAuth system.
Run the Flow:Once all the inputs are filled in, you will run the Zenphi flow. This action will remove all access tokens issued by the CRM tool for John’s account.
Result:The CRM tool will no longer have access to John’s Google Workspace data, ensuring that sensitive company information is protected.

This process can be replicated for any other user or application within your domain, ensuring that you can maintain tight control over external application access and improve your organization’s security posture.