GAM LSA Apps list

[Alexander Grutza]

We're looking at disabling LSA for our Google domain.

Are there any commands that I can run to show what user uses LSA, and what application is using LSA? There was a report within the Google Admin dashboard that just provided "LSA enabled/disabled" which isn't really helpful for our purposes. We want to know what will break when we turn it off, and who will be affected (in case we have to separate those users so they keep LSA enabled)

In the Google Admin dashboard, we have identified a user who may be a good candidate to run these commands against because they have a lot of connected apps

Under: john doe/Security/Connected Applications, there is a list of 52 apps connected to this user

Under: john doe/Apps/Other Cloud apps, there are five "other cloud apps"

[Jay Lee]

You can get a list of users who have enabled LSA with:

gam report users fulldatarequired accounts:is_less_secure_apps_access_allowed

In terms of what app they are using LSA with, that's a chicken/egg problem. LSA apps do not identify themselves to Google servers, they only need to say here's a username and password, now give me ALL THE DATA. The OAuth protocol was specifically designed to require the apps themselves to prove who they are to the Google servers allowing admins to make more granular policy decisions. Instead of saying "yes, we'll allow IMAP access". Admins can say things like "yes, we'll allow IMAP access for iOS mail clients but nothing else".

That's one of the specific reasons LSA is being deprecated.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d37a26f3-24a8-4309-9f52-6933971d344an%40googlegroups.com.