Google Workspace Marketplace restrictions modified to allow any app
Description
AlphaSOC detected a change to the Apps Access Setting Allowlist access via
CHANGE_APPLICATION_SETTING where NEW_VALUE equals ALLOW_ALL. This
indicates the tenant-level marketplace restriction was modified to permit any
application rather than a restricted allowlist. While this may be used to enable
broad app access for business needs, it significantly widens the surface for
unvetted third-party apps.
Impact
Allowing any Marketplace app increases the risk that malicious or poorly configured third-party apps obtain OAuth permissions, access user data, and act on behalf of users. This can lead to data exfiltration, elevated OAuth misuse, and increased attack surface for supply-chain style compromises.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace Marketplace restrictions modified to allow any app |
Investigation and Remediation
Review the audit event to confirm the actor and rationale for changing the Apps Access Setting Allowlist access. If unauthorized, revert to the previous policy and audit recently authorized apps for excessive scopes. Apply an application approval workflow, require business justification, and restrict OAuth scopes. Monitor newly authorized apps and enforce periodic reviews of allowed integrations.