Troubleshooting

Resolve Google Workspace “admin policy enforced” errors

Allow the current Elba OAuth application in Google Admin Console when Workspace policy blocks authorization.

Reviewed Jul 12, 2026 · Product

Google returns 400: admin_policy_enforced when a Workspace policy blocks the OAuth application used during authorization.

Super Admin required

Complete these steps while signed in to the Google Workspace tenant you are connecting, using a Super Admin account.

Allow the Elba application

  1. In Elba, return to the Google Workspace connection step and copy the client ID currently displayed for your workspace.
  2. Open Google Admin Console → API controls → Manage third-party app access.
  3. Select Configure new app, then choose the option to identify an OAuth app by name or client ID.
  4. Search for the exact client ID copied from Elba and select the matching OAuth client.
  5. Configure access for the organizational unit that should be able to authorize Elba. To connect the whole tenant, apply the setting to the whole organization.
  6. Save the configuration.
  7. Return to Elba and retry the Google Workspace authorization as the same Super Admin.

Use the client ID shown in the current Elba connection flow. Client IDs can differ by region or environment, so do not copy one from an old screenshot or document.

If authorization is still blocked

  • Confirm that Google Admin Console and Elba are open for the same Workspace tenant.
  • Confirm that the configured OAuth client exactly matches the client ID shown by Elba.
  • Review whether a child organizational unit overrides the access setting.
  • Complete the domain-wide delegation steps and use the OAuth scopes displayed in Elba. See Connect Google Workspace.

If the error continues, contact [email protected] and include the Google error text and the Elba region you are using. Do not send credentials or access tokens.

On this page