Exempt specific apps from session length policy in Google Workspace2020-11-30T12:49:42+00:00

Project Description

📖 2 mins read
Last year, Google launched an open beta that enabled Cloud Identity admins to configure a session length (a.k.a. “reauth”) for Google Console and Cloud SDK. Now, Google is enhancing session length controls by allowing you to exempt specific applications from the reauth policy.
This will make it easier to roll out this feature in your domain.

Who’s impacted


Why you’d use it

The Google Cloud session control feature applies a session length to Google’s own GCP admin tools, as well as customer-owned and third-party applications that use the cloud-platform scope. When the configured session length expires, the application will require the user to reauthenticate to continue operating, analogous to what would happen if an admin revoked the refresh tokens for that application. The reauthentication requirement can help reduce unauthorized access to sensitive data.
There are some scenarios that make it difficult to roll this out. For example, some applications do not gracefully handle the reauth scenario, causing confusing application crashes or stack traces. Some other applications are deployed for server-to-server use cases with user credentials instead of the recommended service account credential, in which case there is no user to periodically reauthenticate. Customers impacted by these scenarios are unable to roll out session controls to any applications as it will cause these apps to work improperly.
This update allows you to add these apps to a trusted list, temporarily exempting the apps from session length constraints, while implementing session controls for all other GCP admin surfaces.
Exempt specific apps from session length policy in Google Workspace 1

The previous session control settings page in the Admin console 

Exempt specific apps from session length policy in Google Workspace 2
The new session control settings page in the Admin console. Note the new “Exempt trusted apps” checkbox. 

Getting started

  • Admins: This feature will be OFF by default and can be enabled manually using the “Exempt Trusted apps” setting. For more information on how to review the apps currently requiring cloud-platform scopes, and how to add those apps to the Trusted list, visit the Help Center.
  • End users: There is no end user setting for this feature.

Rollout pace


  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as Google Workspace Basic, Business, Education, Enterprise for Education, and Nonprofits, and Cloud Identity customers
Thanks for sharing and spreading the word!
Go to Top