Google is introducing introducing a feature that allows admins to restrict which URLs Apps Scripts and Sheets can source external content from. Admins can monitor accessed URLs using new logs added to the audit and investigation page and create an allowlist to control which URLs are enabled or disabled. Users in the organization will only be able to use allowlisted URLs for their Apps Scripts and Sheets IMPORT functions, aligning with a Zero Trust security posture.

Who’s Impacted

• Admins
• End Users

Why It’s Important

Data exfiltration is a significant security concern, especially with Apps Scripts and Sheets accessing external data. This update provides admins with more granular control over URLs accessed by users.

Getting Started

• Admins:
  • Logs: Found under Reporting > Audit and investigation > Drive Log Events OR Security > Security Center > Investigation Tool.
  • URL Allowlist: Found in the Admin console under Apps > Google Workspace > Drive and Docs > Features and Applications > Importing and fetching from URLs.
  • If no allowlist is established, no URLs will be restricted.
  • Visit the Help Center to learn more about Drive log events.
• End Users: No end user setting for this feature.

Rollout Pace

• Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on July 31, 2024.
• Available for Google Workspace:
• Business Plus
• Enterprise Standard, Plus
• Enterprise Essentials Plus
• Education Standard, Plus