How to Fix 400 admin_policy_enforced in Google Workspace?
The error “400 admin_policy_enforced” appears when a Google Workspace administrator has intentionally blocked or restricted access to certain third-party apps or data, preventing users from signing in or sharing information. This is not a malfunction but a deliberate security measure reflecting the organization’s configured policies.
It can disrupt workflows and cause productivity issues, especially when critical business tools are affected. This error most commonly occurs when trying to connect apps like Slack, Zoom, or Asana, leading to authorization failures and denied access.
There are several common causes of this error, such as:
- Administrative restrictions – Apps or features blocked by the Workspace admin.
- Untrusted third-party apps – Tools not approved for use within your organization.
- Strict data-sharing rules – Policies limiting how data can be accessed or shared.
- Disabled API access – Preventing apps from connecting for users in restricted groups.
- Advanced Protection enrollment – Accounts in this program or flagged as suspicious may face stricter access controls.
- Additional factors – Missing multi-factor authentication (MFA), blocked URLs, non-super admin authorization attempts, license limitations, or username conflicts.
Now, let’s move on to the solutions that can help you fix this problem.
1. Whitelist the Blocked App in Google Admin
In most cases, this error occurs because the app you are trying to use is not whitelisted in your organization’s API controls. Adjusting the access settings for this app usually resolves the issue.
- Log in to the Google Admin console as a super admin.
- Navigate to Security > Access and Data Control > API Controls.
- Click Manage Third-Party App Access.
- Locate the blocked app in the list. If it is not visible, use the “Add App” option to search by OAuth Client ID.
- Select the app and change its status to Trusted.
- Click Save.
By explicitly trusting the app, you override the default block that caused the 400 admin_policy_enforced error.
2. Use a Service Account with Domain-Wide Delegation
If the issue affects automation or integrations (such as scripts or backend services), a service account can bypass user-level OAuth consent while remaining fully compliant with organizational policies.
This account operates under a centrally managed identity, ensuring secure, policy-compliant API access for apps without triggering sign-in restrictions.
- Log in to the Google Cloud Console as an admin.
- Select an existing project or create a new one.
- Enable the required APIs under API & Services > Enabled APIs & Services (e.g., Admin SDK, Gmail API, Calendar API, Drive API).
- Go to IAM & Admin > Service Accounts and create a new service account.
- Enable Domain-wide Delegation for the account and generate a JSON key.
- Copy the service account’s Unique ID.
- In the Admin Console, navigate to Security > API Controls > Manage Domain-Wide Delegation and add a new client using the copied ID.
- Assign the required OAuth Scopes and click Authorize.
Warning: Only grant the minimum scopes required for your use case and store the JSON key securely. Compromised service accounts can expose sensitive data.
3. Disable IMAP/POP Access
If legacy email clients are attempting unauthorized connections, this can also trigger the error. Disabling IMAP/POP ensures that only approved methods (like the Gmail web app or authorized OAuth clients) can connect to your account.
- Log in to Google Admin as an admin.
- Navigate to Apps > Google Workspace > Gmail.
- Expand End User Access and click the pencil icon next to POP/IMAP settings.
- Uncheck POP Access and IMAP Access.
- Click Save.
Important: Notify users before applying this change. It will disable access for email clients like Outlook and Thunderbird that rely on IMAP/POP.
4. Contact Google Workspace Support
If none of the above solutions work, contact Google Workspace Support. Provide them with:
- The full error message and timestamp
- OAuth client ID or app name
- Any recent changes to security or API controls
They can review your organization’s policies and help apply the correct adjustments.