A few apps
So lucky you, someone (maybe you) has realised third parties at your organisation are an important consideration for information security. Maybe you were one of those happy organisations that were even doing this sort of risk assessment for years? Maybe you thought you were fine on 3rd party assessments, until someone finally had the “but what about our web apps!!!” nightmare. Either way you find yourself investigation how to risk assess your organisation’s Google Apps. Turns out, there’s a script for that!
As a starting point allow me to direct you to
https://github.com/slackhq/gsuite-oauth-third-party-app-report/blob/master/third-party-app-report.gs
This script will walk you thorough how to generate the necessary GAM report of all OAuth (yes, just OAuth) Gsuite connected apps in use in your organisation. More importantly it covers how to generate a risk report from that data.
Most small/mid size organisations will probably have few enough results that this script (run from inside google sheets) will probably run for you without crashing. If that’s the case, you can stop reading here. You have your report. Off you go and enjoy a drink, smug in the knowledge that you have a manageable number of apps to deal with. Go.. I can’t look at you on my live google analytics Real-Time feed anymore.
More than a few apps
My variation is for the case where your organisation has so many users (with so many apps) **shudder** that running the script from within Google just crashes/times out. How the heck are you supposed to risk assess your organisation’s Google Apps when the script won’t even run!? BREATH. There is a solution. (There is always a solution)
Where GAM returns too many records for the third-party-app-report.gs to be able to process via the Google Sheets App script editor I’ve munged together a quick and dirty PHP command line script to produce a similar report.