Google Workspace domain-wide delegation granted
Description
AlphaSOC detected a domain-wide delegation grant via the audit event
AUTHORIZE_API_CLIENT_ACCESS. This event indicates an API client was authorized
to act on behalf of users across the tenant (domain-wide delegation). While
legitimate integrations sometimes require delegated access, granting domain-wide
delegation gives broad, high-impact privileges to an application and can be
abused by attackers to access user data and act with user-level privileges.
Impact
A compromised or malicious OAuth client with domain-wide delegation can read or modify user data, impersonate users, and perform tenant-wide actions depending on granted scopes. This can lead to data exfiltration, account takeover, and unauthorized configuration changes.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace domain-wide delegation granted |
Investigation and Remediation
Inspect the audit event to identify the authorized client_id, scopes, and the
actor who granted the delegation. Validate whether the client is a known,
approved integration and review its OAuth client configuration in the admin
console. If unauthorized, revoke the client’s domain-wide delegation, rotate any
associated client secrets, and review API activity for suspicious access.