How to Fix 400 admin_policy_enforced in Google Workspace?

The error “400 admin_policy_enforced” appears when a Google Workspace administrator has intentionally blocked or restricted access to certain third-party apps or data, preventing users from signing in or sharing information. This is not a malfunction but a deliberate security measure reflecting the organization’s configured policies.

It can disrupt workflows and cause productivity issues, especially when critical business tools are affected. This error most commonly occurs when trying to connect apps like Slack, Zoom, or Asana, leading to authorization failures and denied access.

There are several common causes of this error, such as:

  • Administrative restrictions – Apps or features blocked by the Workspace admin.
  • Untrusted third-party apps – Tools not approved for use within your organization.
  • Strict data-sharing rules – Policies limiting how data can be accessed or shared.
  • Disabled API access – Preventing apps from connecting for users in restricted groups.
  • Advanced Protection enrollment – Accounts in this program or flagged as suspicious may face stricter access controls.
  • Additional factors – Missing multi-factor authentication (MFA), blocked URLs, non-super admin authorization attempts, license limitations, or username conflicts.

Now, let’s move on to the solutions that can help you fix this problem.

1. Whitelist the Blocked App in Google Admin

In most cases, this error occurs because the app you are trying to use is not whitelisted in your organization’s API controls. Adjusting the access settings for this app usually resolves the issue.

  1. Log in to the Google Admin console as a super admin.
  2. Navigate to Security > Access and Data Control > API Controls.
  3. Click Manage Third-Party App Access.
  4. Locate the blocked app in the list. If it is not visible, use the “Add App” option to search by OAuth Client ID.
  5. Select the app and change its status to Trusted.
  6. Click Save.

By explicitly trusting the app, you override the default block that caused the 400 admin_policy_enforced error.

2. Use a Service Account with Domain-Wide Delegation

If the issue affects automation or integrations (such as scripts or backend services), a service account can bypass user-level OAuth consent while remaining fully compliant with organizational policies.

This account operates under a centrally managed identity, ensuring secure, policy-compliant API access for apps without triggering sign-in restrictions.

  1. Log in to the Google Cloud Console as an admin.
  2. Select an existing project or create a new one.
  3. Enable the required APIs under API & Services > Enabled APIs & Services (e.g., Admin SDK, Gmail API, Calendar API, Drive API).
  4. Go to IAM & Admin > Service Accounts and create a new service account.
  5. Enable Domain-wide Delegation for the account and generate a JSON key.
  6. Copy the service account’s Unique ID.
  7. In the Admin Console, navigate to Security > API Controls > Manage Domain-Wide Delegation and add a new client using the copied ID.
  8. Assign the required OAuth Scopes and click Authorize.

Warning: Only grant the minimum scopes required for your use case and store the JSON key securely. Compromised service accounts can expose sensitive data.

3. Disable IMAP/POP Access

If legacy email clients are attempting unauthorized connections, this can also trigger the error. Disabling IMAP/POP ensures that only approved methods (like the Gmail web app or authorized OAuth clients) can connect to your account.

  1. Log in to Google Admin as an admin.
  2. Navigate to Apps > Google Workspace > Gmail.
  3. Expand End User Access and click the pencil icon next to POP/IMAP settings.
  4. Uncheck POP Access and IMAP Access.
  5. Click Save.

Important: Notify users before applying this change. It will disable access for email clients like Outlook and Thunderbird that rely on IMAP/POP.

4. Contact Google Workspace Support

If none of the above solutions work, contact Google Workspace Support. Provide them with:

  • The full error message and timestamp
  • OAuth client ID or app name
  • Any recent changes to security or API controls

They can review your organization’s policies and help apply the correct adjustments.

ABOUT THE AUTHOR

Hamza Mohammad Anwar


Hamza Mohammad Anwar is an intermediate JavaScript web developer with a focus on developing high-performance applications using MERN technologies. His skill set includes expertise in ReactJS, MongoDB, Express NodeJS, and other related technologies. Hamza is also a Google IT Certified professional, which highlights his competence in IT support. As an avid problem-solver, he recreates errors on his computer to troubleshoot and find solutions to various technical issues.