Admin Audit Activity Events - Security Settings

This document lists the events and parameters for Security Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin.

Security Settings

Events of this type are returned with type=SECURITY_SETTINGS.

(Context-aware access) Access level assignment changed for an app

Event details
Event name CHANGE_CAA_APP_ASSIGNMENTS
Parameters
APPLICATION_NAME

string

The application's name.

CAA_ASSIGNMENTS_NEW

string

CAA assignments new.

CAA_ASSIGNMENTS_OLD

string

CAA assignments old.

CAA_ENFORCEMENT_ENDPOINTS_NEW

string

CAA enforcement endpoints new. Possible values:

  • CAA_WEB_VERSION
    CAA enforcement endpoints value type - web version.
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoints value type - web version and 1p oauth clients.
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS
    CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (without exemptions).
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS_WITH_EXEMPTION
    CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (with exemptions).
  • CAA_WEB_VERSION_AND_APIS
    CAA enforcement endpoints value type - web version and APIs (without exemptions).
  • CAA_WEB_VERSION_AND_APIS_WITH_EXEMPTION
    CAA enforcement endpoints value type - web version and APIs (with exemptions).
  • WEB_APP
    CAA enforcement endpoint type - web app.
  • WEB_APP_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoint type - web app and 1p oauth clients.
CAA_ENFORCEMENT_ENDPOINTS_OLD

string

CAA enforcement endpoints old. Possible values:

  • CAA_WEB_VERSION
    CAA enforcement endpoints value type - web version.
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoints value type - web version and 1p oauth clients.
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS
    CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (without exemptions).
  • CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS_AND_APIS_WITH_EXEMPTION
    CAA enforcement endpoints value type - web version and 1p oauth clients and APIs (with exemptions).
  • CAA_WEB_VERSION_AND_APIS
    CAA enforcement endpoints value type - web version and APIs (without exemptions).
  • CAA_WEB_VERSION_AND_APIS_WITH_EXEMPTION
    CAA enforcement endpoints value type - web version and APIs (with exemptions).
  • WEB_APP
    CAA enforcement endpoint type - web app.
  • WEB_APP_AND_1P_OAUTH_CLIENTS
    CAA enforcement endpoint type - web app and 1p oauth clients.
GROUP_NAME

string

Group Name.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

TARGET_ENTITY_NAME

string

CAA Target Entity name.

TARGET_ENTITY_TYPE

string

CAA Target Entity type. Possible values:

  • GROUP
    A distribution entity label for a Google group.
  • ORG_UNIT
    A distribution entity label for an organizational unit.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_APP_ASSIGNMENTS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
For {TARGET_ENTITY_TYPE} [{TARGET_ENTITY_NAME}]:Before:Access level [{CAA_ASSIGNMENTS_OLD}] applied to [{CAA_ENFORCEMENT_ENDPOINTS_OLD}] of [{APPLICATION_NAME}].After:Access level [{CAA_ASSIGNMENTS_NEW}] applied to [{CAA_ENFORCEMENT_ENDPOINTS_NEW}] of [{APPLICATION_NAME}].

All access to unconfigured third-party apps blocked for users under 18

All third party API access blocked for users under 18.

Event details
Event name UNDERAGE_BLOCK_ALL_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_BLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
All access to unconfigured third-party apps blocked for users under 18 for {ORG_UNIT_NAME}

All third party API access blocked

Event details
Event name BLOCK_ALL_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
All third party API Access blocked

All third party API access unblocked

Event details
Event name UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ALL_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
All third party API Access unblocked

Allow 2-Step Verification

Event details
Event name ALLOW_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Allow 2-Step Verification has been set from {OLD_VALUE} to {NEW_VALUE} for {DOMAIN_NAME}

Allow Google Sign-in only access to unconfigured third-party apps for users under 18

Allow Google Sign-in only third party API access for users under 18.

Event details
Event name UNDERAGE_SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNDERAGE_SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Allow Google Sign-in only access to unconfigured third-party apps for users under 18 for {ORG_UNIT_NAME}

Allow Google Sign-in only third party API access

Event details
Event name SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Allow Google Sign-in only third party API access

API Access Allowed

Event details
Event name ALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is allowed for {ORG_UNIT_NAME}

API Access Blocked

Event details
Event name DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DISALLOW_SERVICE_FOR_OAUTH2_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_SERVICE_NAME} API Access is blocked for {ORG_UNIT_NAME}

app access settings collection id change.

Event details
Event name CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
Parameters
DOMAIN_NAME

string

The primary domain name.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
App Access Settings Collection for the org unit {ORG_UNIT_NAME} has changed from {OLD_VALUE} to {NEW_VALUE}

App added to Blocked list

Event details
Event name ADD_TO_BLOCKED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} added to Blocked list for {ORG_UNIT_NAME}

App added to Limited list

Event details
Event name ADD_TO_LIMITED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} added to Limited list for {ORG_UNIT_NAME}

App no longer trusted

Event details
Event name REMOVE_FROM_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} no longer trusted for {ORG_UNIT_NAME}

App removed from Blocked list

Event details
Event name REMOVE_FROM_BLOCKED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} removed from Blocked list for {ORG_UNIT_NAME}

App removed from Limited list

Event details
Event name REMOVE_FROM_LIMITED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_FROM_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} removed from Limited list for {ORG_UNIT_NAME}

App trusted

Event details
Event name ADD_TO_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_APP_ID

string

OAuth2 application ID.

OAUTH2_APP_NAME

string

Name of service.

OAUTH2_APP_TYPE

string

OAuth2 application type. Possible values:

  • ANDROID
  • CHROME_EXTENSION
  • IOS
  • OAUTH2_CLIENT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_APP_NAME} trusted for {ORG_UNIT_NAME}

Apps added to Blocked list

Event details
Event name MULTIPLE_ADD_TO_BLOCKED_OAUTH2_APPS
Parameters
OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_BLOCKED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_NUM_APPS} apps added to Blocked list for {ORG_UNIT_NAME}

Apps added to Limited list

Event details
Event name MULTIPLE_ADD_TO_LIMITED_OAUTH2_APPS
Parameters
OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_LIMITED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_NUM_APPS} apps added to Limited list for {ORG_UNIT_NAME}

Apps added to Trusted list

Event details
Event name MULTIPLE_ADD_TO_TRUSTED_OAUTH2_APPS
Parameters
OAUTH2_NUM_APPS

integer

Number of OAuth2 apps.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MULTIPLE_ADD_TO_TRUSTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{OAUTH2_NUM_APPS} apps added to Trusted list for {ORG_UNIT_NAME}

Apps lists bulk upload

Event details
Event name OAUTH_APPS_BULK_UPLOAD
Parameters
BULK_UPLOAD_SUCCESS_OAUTH_APPS_NUMBER

string

Bulk upload successful oauth app number.

BULK_UPLOAD_TOTAL_OAUTH_APPS_NUMBER

string

Bulk upload total oauth app number.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=OAUTH_APPS_BULK_UPLOAD&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{BULK_UPLOAD_SUCCESS_OAUTH_APPS_NUMBER} of {BULK_UPLOAD_TOTAL_OAUTH_APPS_NUMBER} rows successfully uploaded

Apps lists bulk upload notification

Event details
Event name OAUTH_APPS_BULK_UPLOAD_NOTIFICATION_SENT
Parameters
USER_EMAIL

string

The user's primary email address.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=OAUTH_APPS_BULK_UPLOAD_NOTIFICATION_SENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Notification of bulk upload for apps list sent to {USER_EMAIL}

Block On Device Access

Summary message to display in the audit log when device access for OAuth2 apps is blocked.

Event details
Event name BLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=BLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Block on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}

Change 2-Step Verification Enrollment Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification enrollment period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Frequency

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_FREQUENCY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification frequency for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Grace Period Duration

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification grace period duration for {ORG_UNIT_NAME} changed from {OLD_VALUE} to {NEW_VALUE}

Change 2-Step Verification Start Date

Event details
Event name CHANGE_TWO_STEP_VERIFICATION_START_DATE
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_TWO_STEP_VERIFICATION_START_DATE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification start date has been changed from {OLD_VALUE} to {NEW_VALUE}

Change Allowed 2-step Verification Methods

Event details
Event name CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
Parameters
ALLOWED_TWO_STEP_VERIFICATION_METHOD

string

Allowed two-step verification method. Possible values:

  • ANY
    A label that targets any distribution.
  • ONLY_SECURITY_KEY
GROUP_EMAIL

string

The group's primary email address.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
2-step verification allowed 2-step verification methods for {ORG_UNIT_NAME} changed to {ALLOWED_TWO_STEP_VERIFICATION_METHOD}

Context Aware Access Enablement

Event details
Event name TOGGLE_CAA_ENABLEMENT
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TOGGLE_CAA_ENABLEMENT&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Context Aware Access has been {NEW_VALUE}.

Context Aware Access Error Message Change

Event details
Event name CHANGE_CAA_ERROR_MESSAGE
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_CAA_ERROR_MESSAGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message has been changed to [{NEW_VALUE}]. (OrgUnit Name: {ORG_UNIT_NAME})

Domain Owned Apps not trusted

Event details
Event name UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNTRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps removed from trusted list

Domain Owned Apps trusted

Event details
Event name TRUST_DOMAIN_OWNED_OAUTH2_APPS
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=TRUST_DOMAIN_OWNED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Domain Owned Apps added to trusted list

Enable Non-Admin User Password Recovery

Event details
Event name ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Enable non-admin user password recovery setting in {ORG_UNIT_NAME} organization changed from {OLD_VALUE} to {NEW_VALUE}

Enforce 2-Step Verification

Event details
Event name ENFORCE_STRONG_AUTHENTICATION
Parameters
DOMAIN_NAME

string

The primary domain name.

GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

SETTING_NAME

string

The unique name (ID) of the setting that was changed.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ENFORCE_STRONG_AUTHENTICATION&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{SETTING_NAME} in security settings for your organization changed from {OLD_VALUE} to {NEW_VALUE}

Error message for restricted OAuth2 apps updated

Summary message to display in the audit log for Oauth2 scope management settings.

Event details
Event name UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Error message for restricted OAuth2 apps for your organization updated from {OLD_VALUE} to {NEW_VALUE}

Less Secure Apps Access setting changed

Event details
Event name WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
Parameters
GROUP_EMAIL

string

The group's primary email address.

NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Setting changed for {ORG_UNIT_NAME} organization unit from {OLD_VALUE} to {NEW_VALUE}

Session Control Settings Change

Event name for change in session control settings.

Event details
Event name SESSION_CONTROL_SETTINGS_CHANGE
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

REAUTH_APPLICATION

string

Application for with reauthentication settings apply. Possible values:

  • ADMIN_CONSOLE
    Google admin console.
  • CLOUD_ADMIN_TOOLS
    Google cloud admin tools.
REAUTH_SETTING_NEW

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
REAUTH_SETTING_OLD

string

Old Session control settings. Possible values:

  • INHERIT
    Message to represent setting that inherits from its parent org unit.
  • NEVER
    Message to represent setting that never does reauthentication.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=SESSION_CONTROL_SETTINGS_CHANGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session Control Settings updated for {REAUTH_APPLICATION} from {REAUTH_SETTING_OLD} to {REAUTH_SETTING_NEW}. (OrgUnit Name: {ORG_UNIT_NAME})

Session length changed

Event details
Event name CHANGE_SESSION_LENGTH
Parameters
NEW_VALUE

string

The new SETTING_NAME value that was set during this event.

OLD_VALUE

string

The previous SETTING_NAME value that was replaced during this event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_SESSION_LENGTH&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Session length has been changed from {OLD_VALUE} to {NEW_VALUE}

Unblock on Device Access

Summary message to display in the audit log when device access for OAuth2 apps is unblocked.

Event details
Event name UNBLOCK_ON_DEVICE_ACCESS
Parameters
OAUTH2_SERVICE_NAME

string

OAuth2 service name. Possible values:

  • APPS_SCRIPT
    Apps Script Service name.
  • APPS_SCRIPT_RUNTIME
  • CALENDAR
  • CLASSROOM
    Classroom service.
  • CLOUD_BILLING
  • CLOUD_MACHINE_LEARNING
  • CLOUD_PLATFORM
  • CLOUD_SEARCH
    Cloud search service.
  • CONTACTS
  • DRIVE
  • DRIVE_HIGH_RISK
  • GMAIL
  • GMAIL_HIGH_RISK
  • GROUPS
    Groups service.
  • GSUITE_ADMIN
  • TASKS
    Tasks service.
  • VAULT
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNBLOCK_ON_DEVICE_ACCESS&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Unblock on device {OAUTH2_SERVICE_NAME} access for {ORG_UNIT_NAME}