Admin Audit Activity Events - Security Settings

This document lists the events and parameters for Security Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin.

Security Settings

Events of this type are returned with type=SECURITY_SETTINGS.

Allow 2-Step Verification

Event details
Event name ALLOW_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Allow 2-Step Verification has been set from {OLD_VALUE} to {NEW_VALUE} for {DOMAIN_NAME}

API Access Allowed

Event details
Event name ALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GSUITE_ADMIN
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is allowed for {ORG_UNIT_NAME}

API Access Blocked

Event details
Event name DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GSUITE_ADMIN
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DISALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is blocked for {ORG_UNIT_NAME}

app access settings collection id change.

Event details
Event name CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
App Access Settings Collection for the org unit {ORG_UNIT_NAME} has changed from {OLD_VALUE} to {NEW_VALUE}

App added to Trusted whitelist

Event details
Event name ADD_TO_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} added to Trusted whitelist for {ORG_UNIT_NAME}

App removed from Trusted whitelist

Event details
Event name REMOVE_FROM_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} removed from Trusted whitelist for {ORG_UNIT_NAME}

Block On Device Access

Summary message to display in the audit log of G Suite for the event when device access for OAuth2 apps is unblocked.

Event details
Event name BLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GSUITE_ADMIN
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Block on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}

Change 2-Step Verification Enrollment Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification enrollment period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Frequency

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_FREQUENCY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification frequency for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Grace Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification grace period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Start Date

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_START_DATE
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_START_DATE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification start date has been changed from {OLD_VALUE} to {NEW_VALUE}

Change Allowed 2-step Verification Methods

Event details
Event name CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
Parameters
ALLOWED_TWO_STEP_VERIFICATION_METHOD

string

Allowed two-step verification method. Possible values:

  • ANY
    A label that targets any distribution.
  • ONLY_SECURITY_KEY
GROUP_EMAIL

string

The group's primary email address.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification allowed 2-step verification methods for {ORG_UNIT_NAME} changed to {ALLOWED_TWO_STEP_VERIFICATION_METHOD}

Context Aware Access Enablement

Event details
Event name TOGGLE_CAA_ENABLEMENT
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TOGGLE_CAA_ENABLEMENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Context Aware Access has been {NEW_VALUE}.

Context Aware Access Error Message Change

Event details
Event name CHANGE_CAA_ERROR_MESSAGE
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_ERROR_MESSAGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message has been changed to [{NEW_VALUE}]. (OrgUnit Name: {ORG_UNIT_NAME})

Context Aware Access Level App-specific Assignments Change

Event details
Event name CHANGE_CAA_APP_ASSIGNMENTS
Parameters
APPLICATION_NAME

string

The application's name.

CAA_ASSIGNMENTS_NEW

string

CAA assignments new.

CAA_ASSIGNMENTS_OLD

string

CAA assignments old.

GROUP_NAME

string

Group Name.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_APP_ASSIGNMENTS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Access Level assignments have been changed from [{CAA_ASSIGNMENTS_OLD}] to [{CAA_ASSIGNMENTS_NEW}].

Domain Owned Apps not trusted

Event details
Event name UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNTRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps removed from trusted list

Domain Owned Apps trusted

Event details
Event name TRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps added to trusted list

Enable Non-Admin User Password Recovery

Event details
Event name ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Enable non-admin user password recovery setting in {ORG_UNIT_NAME} organization changed from {OLD_VALUE} to {NEW_VALUE}

Enforce 2-Step Verification

Event details
Event name ENFORCE_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENFORCE_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{SETTING_NAME} in security settings for your organization changed from {OLD_VALUE} to {NEW_VALUE}

Error message for restricted OAuth2 apps updated

Summary message to audit log in G Suite for Oauth2 scope management settings.

Event details
Event name UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message for restricted OAuth2 apps for your organization updated from {OLD_VALUE} to {NEW_VALUE}

Less Secure Apps Access setting changed

Event details
Event name WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Setting changed for {ORG_UNIT_NAME} organization unit from {OLD_VALUE} to {NEW_VALUE}

Session Control Settings Change

Event name for change in session control settings.

Event details
Event name SESSION_CONTROL_SETTINGS_CHANGE
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

REAUTH_APPLICATION

string

Application for with reauthentication settings apply. Possible values:

  • ADMIN_CONSOLE
    Google admin console.
  • CLOUD_ADMIN_TOOLS
    Google cloud admin tools.
REAUTH_SETTING_NEW

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
REAUTH_SETTING_OLD

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SESSION_CONTROL_SETTINGS_CHANGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session Control Settings updated for {REAUTH_APPLICATION} from {REAUTH_SETTING_OLD} to {REAUTH_SETTING_NEW}. (OrgUnit Name: {ORG_UNIT_NAME})

Session length changed

Event details
Event name CHANGE_SESSION_LENGTH
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_SESSION_LENGTH&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session length has been changed from {OLD_VALUE} to {NEW_VALUE}

Unblock on Device Access

Summary message to display in the audit log of G Suite for the event when device access for OAuth2 apps is unblocked.

Event details
Event name UNBLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GSUITE_ADMIN
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Unblock on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}