Admin Audit Activity Events - Security Settings

Stay organized with collections Save and categorize content based on your preferences.

This document lists the events and parameters for Security Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin.

Security Settings

Events of this type are returned with type=SECURITY_SETTINGS.

All third party API access blocked

Event details
Event name BLOCK_ALL_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
All third party API Access blocked

All third party API access unblocked

Event details
Event name UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
All third party API Access unblocked

Allow 2-Step Verification

Event details
Event name ALLOW_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Allow 2-Step Verification has been set from {OLD_VALUE} to {NEW_VALUE} for {DOMAIN_NAME}

API Access Allowed

Event details
Event name ALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is allowed for {ORG_UNIT_NAME}

API Access Blocked

Event details
Event name DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DISALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is blocked for {ORG_UNIT_NAME}

app access settings collection id change.

Event details
Event name CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
App Access Settings Collection for the org unit {ORG_UNIT_NAME} has changed from {OLD_VALUE} to {NEW_VALUE}

App added to Blocked list

Event details
Event name ADD_TO_BLOCKED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} added to Blocked list for {ORG_UNIT_NAME}

App no longer trusted

Event details
Event name REMOVE_FROM_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} no longer trusted for {ORG_UNIT_NAME}

App removed from Blocked list

Event details
Event name REMOVE_FROM_BLOCKED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} removed from Blocked list for {ORG_UNIT_NAME}

App trusted

Event details
Event name ADD_TO_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} trusted for {ORG_UNIT_NAME}

Block On Device Access

Summary message to display in the audit log when device access for OAuth2 apps is blocked.

Event details
Event name BLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Block on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}

Change 2-Step Verification Enrollment Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification enrollment period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Frequency

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_FREQUENCY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification frequency for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Grace Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification grace period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Start Date

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_START_DATE
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_START_DATE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification start date has been changed from {OLD_VALUE} to {NEW_VALUE}

Change Allowed 2-step Verification Methods

Event details
Event name CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
Parameters
ALLOWED_TWO_STEP_VERIFICATION_METHOD

string

Allowed two-step verification method. Possible values:

  • ANY
    A label that targets any distribution.
  • ONLY_SECURITY_KEY
GROUP_EMAIL

string

The group's primary email address.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification allowed 2-step verification methods for {ORG_UNIT_NAME} changed to {ALLOWED_TWO_STEP_VERIFICATION_METHOD}

Context Aware Access Enablement

Event details
Event name TOGGLE_CAA_ENABLEMENT
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TOGGLE_CAA_ENABLEMENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Context Aware Access has been {NEW_VALUE}.

Context Aware Access Error Message Change

Event details
Event name CHANGE_CAA_ERROR_MESSAGE
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_ERROR_MESSAGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message has been changed to [{NEW_VALUE}]. (OrgUnit Name: {ORG_UNIT_NAME})

Context Aware Access Level App-specific Assignments Change

Event details
Event name CHANGE_CAA_APP_ASSIGNMENTS
Parameters
APPLICATION_NAME

string

The application's name.

CAA_ASSIGNMENTS_NEW

string

CAA assignments new.

CAA_ASSIGNMENTS_OLD

string

CAA assignments old.

CAA_ENFORCEMENT_ENDPOINTS_NEW

string

CAA enforcement endpoints new. Possible values:

  • WEB_APP
    CAA enforcement endpoint type - web app.
  • WEB_APP_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoint type - web app and 1p oauth clients.
CAA_ENFORCEMENT_ENDPOINTS_OLD

string

CAA enforcement endpoints old. Possible values:

  • WEB_APP
    CAA enforcement endpoint type - web app.
  • WEB_APP_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoint type - web app and 1p oauth clients.
GROUP_NAME

string

Group Name.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_APP_ASSIGNMENTS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Access Level assignments have been changed from [{CAA_ASSIGNMENTS_OLD}] enforced by [{CAA_ENFORCEMENT_ENDPOINTS_OLD}] to [{CAA_ASSIGNMENTS_NEW}] enforced by [{CAA_ENFORCEMENT_ENDPOINTS_NEW}].

Domain Owned Apps not trusted

Event details
Event name UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNTRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps removed from trusted list

Domain Owned Apps trusted

Event details
Event name TRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps added to trusted list

Enable Non-Admin User Password Recovery

Event details
Event name ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Enable non-admin user password recovery setting in {ORG_UNIT_NAME} organization changed from {OLD_VALUE} to {NEW_VALUE}

Enforce 2-Step Verification

Event details
Event name ENFORCE_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENFORCE_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{SETTING_NAME} in security settings for your organization changed from {OLD_VALUE} to {NEW_VALUE}

Error message for restricted OAuth2 apps updated

Summary message to display in the audit log for Oauth2 scope management settings.

Event details
Event name UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message for restricted OAuth2 apps for your organization updated from {OLD_VALUE} to {NEW_VALUE}

Less Secure Apps Access setting changed

Event details
Event name WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Setting changed for {ORG_UNIT_NAME} organization unit from {OLD_VALUE} to {NEW_VALUE}

Session Control Settings Change

Event name for change in session control settings.

Event details
Event name SESSION_CONTROL_SETTINGS_CHANGE
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

REAUTH_APPLICATION

string

Application for with reauthentication settings apply. Possible values:

  • ADMIN_CONSOLE
    Google admin console.
  • CLOUD_ADMIN_TOOLS
    Google cloud admin tools.
REAUTH_SETTING_NEW

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
REAUTH_SETTING_OLD

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SESSION_CONTROL_SETTINGS_CHANGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session Control Settings updated for {REAUTH_APPLICATION} from {REAUTH_SETTING_OLD} to {REAUTH_SETTING_NEW}. (OrgUnit Name: {ORG_UNIT_NAME})

Session length changed

Event details
Event name CHANGE_SESSION_LENGTH
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_SESSION_LENGTH&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session length has been changed from {OLD_VALUE} to {NEW_VALUE}

Unblock on Device Access

Summary message to display in the audit log when device access for OAuth2 apps is unblocked.

Event details
Event name UNBLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Unblock on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}