Admin Audit Activity Events - Security Settings

This document lists the events and parameters for Security Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin.

Security Settings

Events of this type are returned with type=SECURITY_SETTINGS.

(Context-aware access) Access level assignment changed for an app

Event details

Event name CHANGE_CAA_APP_ASSIGNMENTS

Parameters

`APPLICATION_NAME`	`string` The application's name.
`CAA_ACCESS_ASSIGNMENTS_NEW`	`string` CAA access levels new.
`CAA_ACCESS_ASSIGNMENTS_OLD`	`string` CAA access levels old.
`CAA_ACCESS_LEVELS_NEW`	`string` CAA access levels new.
`CAA_ACCESS_LEVELS_OLD`	`string` CAA access levels old.
`CAA_ASSIGNMENTS_NEW`	`string` CAA assignments new.
`CAA_ASSIGNMENTS_OLD`	`string` CAA assignments old.
`CAA_ENFORCEMENT_ENDPOINTS_NEW`	`string` CAA enforcement endpoints new. Possible values: `CAA_WEB_VERSION` CAA enforcement endpoints value type - web version. `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS` CAA enforcement endpoints value type - web version and 1p oauth clients. `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS` CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (without exemptions). `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS_WITH_EXEMPTION` CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (with exemptions). `CAA_WEB_VERSION_AND_APIS` CAA enforcement endpoints value type - web version and APIs (without exemptions). `CAA_WEB_VERSION_AND_APIS_WITH_EXEMPTION` CAA enforcement endpoints value type - web version and APIs (with exemptions). `WEB_APP` CAA enforcement endpoint type - web app. `WEB_APP_AND_1P_OAUTH_CLIENTS` CAA enforcement endpoint type - web app and 1p oauth clients.
`CAA_ENFORCEMENT_ENDPOINTS_OLD`	`string` CAA enforcement endpoints old. Possible values: `CAA_WEB_VERSION` CAA enforcement endpoints value type - web version. `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS` CAA enforcement endpoints value type - web version and 1p oauth clients. `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS` CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (without exemptions). `CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS_WITH_EXEMPTION` CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (with exemptions). `CAA_WEB_VERSION_AND_APIS` CAA enforcement endpoints value type - web version and APIs (without exemptions). `CAA_WEB_VERSION_AND_APIS_WITH_EXEMPTION` CAA enforcement endpoints value type - web version and APIs (with exemptions). `WEB_APP` CAA enforcement endpoint type - web app. `WEB_APP_AND_1P_OAUTH_CLIENTS` CAA enforcement endpoint type - web app and 1p oauth clients.
`GROUP_NAME`	`string` Group Name.
`MODE`	`string` CAA Access Level Assignment mode. Possible values: `ACTIVE` CAA assignment mode - active. `MONITOR` CAA assignment mode - monitor.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).
`TARGET_ENTITY_NAME`	`string` CAA Target Entity name.
`TARGET_ENTITY_TYPE`	`string` CAA Target Entity type. Possible values: `GROUP` A distribution entity label for a Google group. `ORG_UNIT` A distribution entity label for an organizational unit.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_APP_ASSIGNMENTS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

For {TARGET_ENTITY_TYPE} [{TARGET_ENTITY_NAME}]:
 

 
Before:
 
Access level [{CAA_ACCESS_ASSIGNMENTS_OLD}] applied to {CAA_ENFORCEMENT_ENDPOINTS_OLD} of [{APPLICATION_NAME}] in [{MODE}] mode.
 

 
After:
 
Access level [{CAA_ACCESS_ASSIGNMENTS_NEW}] applied to {CAA_ENFORCEMENT_ENDPOINTS_NEW} of [{APPLICATION_NAME}] in [{MODE}] mode.

All access to unconfigured third-party apps blocked for users under 18

All third party API access blocked for users under 18.

Event details

Event name UNDERAGE_BLOCK_ALL_THIRD_PARTY_API_ACCESS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_BLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

All access to unconfigured third-party apps blocked for users under 18 for {ORG_UNIT_NAME}

All third party API access blocked

Event details

Event name BLOCK_ALL_THIRD_PARTY_API_ACCESS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

All third party API Access blocked

All third party API access unblocked

Event details

Event name UNBLOCK_ALL_THIRD_PARTY_API_ACCESS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

All third party API Access unblocked

Allow 2-Step Verification

Event details

Event name ALLOW_STRONG_AUTHENTICATION

Parameters

DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Allow 2-Step Verification has been set from {OLD_VALUE} to {NEW_VALUE} for {DOMAIN_NAME}

Allow Google Sign-in only access to unconfigured third-party apps for users under 18

Allow Google Sign-in only third party API access for users under 18.

Event details

Event name UNDERAGE_SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Allow Google Sign-in only access to unconfigured third-party apps for users under 18 for {ORG_UNIT_NAME}

Allow Google Sign-in only third party API access

Event details

Event name SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Allow Google Sign-in only third party API access

API Access Allowed

Event details

Event name ALLOW_SERVICE_FOR_OAUTH2_ACCESS

Parameters

OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

APPS_SCRIPT
Apps Script Service name.
APPS_SCRIPT_RUNTIME
CALENDAR
CLASSROOM
Classroom service.
CLOUD_BILLING
CLOUD_MACHINE_LEARNING
CLOUD_PLATFORM
CLOUD_SEARCH
Cloud search service.
CONTACTS
DRIVE
DRIVE_HIGH_RISK
GMAIL
GMAIL_HIGH_RISK
GROUPS
Groups service.
GSUITE_ADMIN
TASKS
Tasks service.
VAULT

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_SERVICE_NAME} API Access is allowed for {ORG_UNIT_NAME}

API Access Blocked

Event details

Event name DISALLOW_SERVICE_FOR_OAUTH2_ACCESS

Parameters

OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

APPS_SCRIPT
Apps Script Service name.
APPS_SCRIPT_RUNTIME
CALENDAR
CLASSROOM
Classroom service.
CLOUD_BILLING
CLOUD_MACHINE_LEARNING
CLOUD_PLATFORM
CLOUD_SEARCH
Cloud search service.
CONTACTS
DRIVE
DRIVE_HIGH_RISK
GMAIL
GMAIL_HIGH_RISK
GROUPS
Groups service.
GSUITE_ADMIN
TASKS
Tasks service.
VAULT

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DISALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_SERVICE_NAME} API Access is blocked for {ORG_UNIT_NAME}

app access settings collection id change.

Event details

Event name CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID

Parameters

`DOMAIN_NAME`	`string` The primary domain name.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).
`SETTING_NAME`	`string` The unique name (ID) of the setting that was changed.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

App Access Settings Collection for the org unit {ORG_UNIT_NAME} has changed from {OLD_VALUE} to {NEW_VALUE}

App added to Blocked list

Event details

Event name ADD_TO_BLOCKED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} added to Blocked list for {ORG_UNIT_NAME}

App added to Limited list

Event details

Event name ADD_TO_LIMITED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} added to Limited list for {ORG_UNIT_NAME}

App added to Trusted by OAuth Scope list

Event details

Event name ADD_TO_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} added to trusted by OAuth scope list for {ORG_UNIT_NAME}

App allowlisted for exemption from API access blocks

Event details

Event name ADD_TO_CAA_EXEMPT_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_CAA_EXEMPT_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} allowlisted for exemption from API access blocks for {ORG_UNIT_NAME}

App no longer allowlisted for exemption from API access blocks

Event details

Event name REMOVE_FROM_CAA_EXEMPT_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_CAA_EXEMPT_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} removed from allowlist for exemption from API access blocks for {ORG_UNIT_NAME}

App no longer trusted

Event details

Event name REMOVE_FROM_TRUSTED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} no longer trusted for {ORG_UNIT_NAME}

App removed from Blocked list

Event details

Event name REMOVE_FROM_BLOCKED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} removed from Blocked list for {ORG_UNIT_NAME}

App removed from Limited list

Event details

Event name REMOVE_FROM_LIMITED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} removed from Limited list for {ORG_UNIT_NAME}

App removed from Trusted by OAuth Scope list

Event details

Event name REMOVE_FROM_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} removed from trusted by OAuth scope list for {ORG_UNIT_NAME}

App trusted

Event details

Event name ADD_TO_TRUSTED_OAUTH2_APPS

Parameters

`OAUTH2_APP_ID`	`string` OAuth2 application ID.
`OAUTH2_APP_NAME`	`string` Name of service.
`OAUTH2_APP_TYPE`	`string` OAuth2 application type. Possible values: `ANDROID` `CHROME_EXTENSION` `IOS` `OAUTH2_CLIENT`
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_APP_NAME} trusted for {ORG_UNIT_NAME}

Apps added to Blocked list

Event details

Event name MULTIPLE_ADD_TO_BLOCKED_OAUTH2_APPS

Parameters

OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_NUM_APPS} apps added to Blocked list for {ORG_UNIT_NAME}

Apps added to Limited list

Event details

Event name MULTIPLE_ADD_TO_LIMITED_OAUTH2_APPS

Parameters

OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_NUM_APPS} apps added to Limited list for {ORG_UNIT_NAME}

Apps added to Trusted by OAuth Scope list

Event details

Event name MULTIPLE_ADD_TO_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS

Parameters

OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_TRUSTED_BY_OAUTH_SCOPE_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_NUM_APPS} apps added to Trusted by OAuth Scope list for {ORG_UNIT_NAME}

Apps added to Trusted list

Event details

Event name MULTIPLE_ADD_TO_TRUSTED_OAUTH2_APPS

Parameters

OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{OAUTH2_NUM_APPS} apps added to Trusted list for {ORG_UNIT_NAME}

Apps lists bulk upload

Event details

Event name OAUTH_APPS_BULK_UPLOAD

Parameters

BULK_UPLOAD_SUCCESS_OAUTH_APPS_NUMBER

string

Bulk upload successful oauth app number.

BULK_UPLOAD_TOTAL_OAUTH_APPS_NUMBER

string

Bulk upload total oauth app number.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=OAUTH_APPS_BULK_UPLOAD&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{BULK_UPLOAD_SUCCESS_OAUTH_APPS_NUMBER} of {BULK_UPLOAD_TOTAL_OAUTH_APPS_NUMBER} rows successfully uploaded

Apps lists bulk upload notification

Event details

Event name OAUTH_APPS_BULK_UPLOAD_NOTIFICATION_SENT

Parameters

USER_EMAIL

string

The user's primary email address.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=OAUTH_APPS_BULK_UPLOAD_NOTIFICATION_SENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Notification of bulk upload for apps list sent to {USER_EMAIL}

Block On Device Access

Summary message to display in the audit log when device access for OAuth2 apps is blocked.

Event details

Event name BLOCK_ON_DEVICE_ACCESS

Parameters

OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

APPS_SCRIPT
Apps Script Service name.
APPS_SCRIPT_RUNTIME
CALENDAR
CLASSROOM
Classroom service.
CLOUD_BILLING
CLOUD_MACHINE_LEARNING
CLOUD_PLATFORM
CLOUD_SEARCH
Cloud search service.
CONTACTS
DRIVE
DRIVE_HIGH_RISK
GMAIL
GMAIL_HIGH_RISK
GROUPS
Groups service.
GSUITE_ADMIN
TASKS
Tasks service.
VAULT

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Block on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}

Change 2-Step Verification Enrollment Period Duration

Event details

Event name CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

2-step verification enrollment period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Frequency

Event details

Event name CHANGE_TWO_STEP_VERIFICATION_FREQUENCY

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_FREQUENCY&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

2-step verification frequency for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Grace Period Duration

Event details

Event name CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

2-step verification grace period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Start Date

Event details

Event name CHANGE_TWO_STEP_VERIFICATION_START_DATE

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_START_DATE&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

2-step verification start date has been changed from {OLD_VALUE} to {NEW_VALUE}

Change Allowed 2-step Verification Methods

Event details

Event name CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS

Parameters

ALLOWED_TWO_STEP_VERIFICATION_METHOD

string

Allowed two-step verification method. Possible values:

ANY
A label that targets any distribution.
ONLY_SECURITY_KEY

GROUP_EMAIL

string

The group's primary email address.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

2-step verification allowed 2-step verification methods for {ORG_UNIT_NAME} changed to {ALLOWED_TWO_STEP_VERIFICATION_METHOD}

Context Aware Access Enablement

Event details

Event name TOGGLE_CAA_ENABLEMENT

Parameters

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TOGGLE_CAA_ENABLEMENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Context Aware Access has been {NEW_VALUE}.

Context Aware Access Error Message Change

Event details

Event name CHANGE_CAA_ERROR_MESSAGE

Parameters

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_ERROR_MESSAGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Error message has been changed to [{NEW_VALUE}]. (OrgUnit Name: {ORG_UNIT_NAME})

Context Aware Access Remediation Enablement

Event details

Event name TOGGLE_CAA_REMEDIATION_ENABLEMENT

Parameters

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TOGGLE_CAA_REMEDIATION_ENABLEMENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Context Aware Access Remediation has been {NEW_VALUE}. (OrgUnit Name: {ORG_UNIT_NAME})

Disabled Edu over 18 users apps requests

Event details

Event name EDU_OVER_18_APPROVAL_WORKFLOW_DISABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=EDU_OVER_18_APPROVAL_WORKFLOW_DISABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Disabled Edu over 18 users apps requests for {ORG_UNIT_NAME}

Disabled over 18 users making delegated apps requests

Event details

Event name EDU_DELEGATED_USER_APPROVAL_WORKFLOW_DISABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=EDU_DELEGATED_USER_APPROVAL_WORKFLOW_DISABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Disabled over 18 users making delegated apps requests for {ORG_UNIT_NAME}

Disabled under 18 users apps requests

Event details

Event name UNDERAGE_USER_APPROVAL_WORKFLOW_DISABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_USER_APPROVAL_WORKFLOW_DISABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Disabled under 18 users apps requests for {ORG_UNIT_NAME}

Disabled users over 18 to make apps requests

Event details

Event name USER_APPROVAL_WORKFLOW_DISABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=USER_APPROVAL_WORKFLOW_DISABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Disabled users over 18 to make apps requests for {ORG_UNIT_NAME}

Domain Owned Apps not trusted

Event details

Event name UNTRUST_DOMAIN_OWNED_OAUTH2_APPS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNTRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Domain Owned Apps removed from trusted list

Domain Owned Apps trusted

Event details

Event name TRUST_DOMAIN_OWNED_OAUTH2_APPS

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Domain Owned Apps added to trusted list

Enable Non-Admin User Password Recovery

Event details

Event name ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Enable non-admin user password recovery setting in {ORG_UNIT_NAME} organization changed from {OLD_VALUE} to {NEW_VALUE}

Enabled Edu over 18 users apps requests

Event details

Event name EDU_OVER_18_APPROVAL_WORKFLOW_ENABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=EDU_OVER_18_APPROVAL_WORKFLOW_ENABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Enabled Edu over 18 users apps requests for {ORG_UNIT_NAME}

Enabled over 18 users making delegated apps requests

Event details

Event name EDU_DELEGATED_USER_APPROVAL_WORKFLOW_ENABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=EDU_DELEGATED_USER_APPROVAL_WORKFLOW_ENABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Enabled over 18 users making delegated apps requests for {ORG_UNIT_NAME}

Enabled under 18 users apps requests

Event details

Event name UNDERAGE_USER_APPROVAL_WORKFLOW_ENABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_USER_APPROVAL_WORKFLOW_ENABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Enabled under 18 users apps requests for {ORG_UNIT_NAME}

Enabled users over 18 to make apps requests

Event details

Event name USER_APPROVAL_WORKFLOW_ENABLED

Parameters

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=USER_APPROVAL_WORKFLOW_ENABLED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Enabled users over 18 to make apps requests for {ORG_UNIT_NAME}

Enforce 2-Step Verification

Event details

Event name ENFORCE_STRONG_AUTHENTICATION

Parameters

`DOMAIN_NAME`	`string` The primary domain name.
`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).
`SETTING_NAME`	`string` The unique name (ID) of the setting that was changed.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENFORCE_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

{SETTING_NAME} in security settings for your organization changed from {OLD_VALUE} to {NEW_VALUE}

Error message for restricted OAuth2 apps updated

Summary message to display in the audit log for Oauth2 scope management settings.

Event details

Event name UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS

Parameters

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Error message for restricted OAuth2 apps for your organization updated from {OLD_VALUE} to {NEW_VALUE}

Less Secure Apps Access setting changed

Event details

Event name WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED

Parameters

`GROUP_EMAIL`	`string` The group's primary email address.
`NEW_VALUE`	`string` The new `SETTING_NAME` value that was set during this event.
`OLD_VALUE`	`string` The previous `SETTING_NAME` value that was replaced during this event.
`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Setting changed for {ORG_UNIT_NAME} organization unit from {OLD_VALUE} to {NEW_VALUE}

Session Control Settings Change

Event name for change in session control settings.

Event details

Event name SESSION_CONTROL_SETTINGS_CHANGE

Parameters

`ORG_UNIT_NAME`	`string` The organizational unit (OU) name (path).
`REAUTH_APPLICATION`	`string` Application for with reauthentication settings apply. Possible values: `ADMIN_CONSOLE` Google admin console. `CLOUD_ADMIN_TOOLS` Google cloud admin tools.
`REAUTH_SETTING_NEW`	`string` Old Session control settings. Possible values: `INHERIT` Message to represent setting that inherits from its parent org unit. `NEVER` Message to represent setting that never does reauthentication.
`REAUTH_SETTING_OLD`	`string` Old Session control settings. Possible values: `INHERIT` Message to represent setting that inherits from its parent org unit. `NEVER` Message to represent setting that never does reauthentication.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SESSION_CONTROL_SETTINGS_CHANGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Session Control Settings updated for {REAUTH_APPLICATION} from {REAUTH_SETTING_OLD} to {REAUTH_SETTING_NEW}. (OrgUnit Name: {ORG_UNIT_NAME})

Session length changed

Event details

Event name CHANGE_SESSION_LENGTH

Parameters

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_SESSION_LENGTH&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Session length has been changed from {OLD_VALUE} to {NEW_VALUE}

Unblock on Device Access

Summary message to display in the audit log when device access for OAuth2 apps is unblocked.

Event details

Event name UNBLOCK_ON_DEVICE_ACCESS

Parameters

OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

APPS_SCRIPT
Apps Script Service name.
APPS_SCRIPT_RUNTIME
CALENDAR
CLASSROOM
Classroom service.
CLOUD_BILLING
CLOUD_MACHINE_LEARNING
CLOUD_PLATFORM
CLOUD_SEARCH
Cloud search service.
CONTACTS
DRIVE
DRIVE_HIGH_RISK
GMAIL
GMAIL_HIGH_RISK
GROUPS
Groups service.
GSUITE_ADMIN
TASKS
Tasks service.
VAULT

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Unblock on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}

Users requesting access list download

Event details

Event name DOWNLOAD_PENDING_APP_USER_REQUESTS

Parameters

OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DOWNLOAD_PENDING_APP_USER_REQUESTS&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Downloaded list of users requesting access to {OAUTH2_APP_NAME}