Using organization policies to control IAP enablement
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the organization policies that you can set to control the
enablement of IAP protection for global and regional
applications.
Overview
IAP is a global service, and any IAP configuration is replicated globally. Therefore, if you have strict
regional data residency compliance requirements that you must adhere to, you
might need to ensure that IAP cannot be enabled for applications across your organization, in specific projects, or in specific folders. You can control IAP enablement by setting
organization policy constraints.
IAP organization policies
The following organization policies restrict IAP enablement
for global and regional applications:
Global: iap.requireGlobalIapWebDisabled
Regional: iap.requireRegionalIapWebDisabled
You can use the organization policies to prevent admins from enabling IAP on the
following services:
App Engine applications, API reference: Applications.updateApplication
When you enable one or both of the policy constraints, it prevents future
enabling of IAP on global or regional applications respectively. Setting the
policy constraints does not automatically disable IAP protections that are in
place for existing Compute Engine or App Engine applications. For existing
applications on which IAP is already enabled, ensure that you bring them into
compliance with the newly set policies without sacrificing your security
posture.
Organization policies specifically and strictly control only IAP
enablement and not other aspects of the IAP configuration.
When an organization policy is in place, an administrator can update any IAP
settings, including OAuth Client information, for any application that is out of
compliance at the time of the policy enforcement. This allows you to maintain a
strong security posture while working to bring all of your services into
compliance with data residency requirements.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eOrganization policies can control the enablement of Identity-Aware Proxy (IAP) protection for both global and regional applications.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eiap.requireGlobalIapWebDisabled\u003c/code\u003e policy restricts IAP enablement for global applications, while \u003ccode\u003eiap.requireRegionalIapWebDisabled\u003c/code\u003e does the same for regional applications.\u003c/p\u003e\n"],["\u003cp\u003eThese policies prevent administrators from enabling IAP on Compute Engine backend services and App Engine applications.\u003c/p\u003e\n"],["\u003cp\u003eEnabling these policies only prevents future IAP enablement and does not automatically disable IAP on existing applications.\u003c/p\u003e\n"],["\u003cp\u003eAdministrators can still update IAP settings for applications that are not compliant with the organization policies.\u003c/p\u003e\n"]]],[],null,["# Using organization policies to control IAP enablement\n\nThis page describes the organization policies that you can set to control the\nenablement of IAP protection for global and regional\napplications.\n\nOverview\n--------\n\nIAP is a global service, and any IAP configuration is replicated globally. Therefore, if you have strict\nregional data residency compliance requirements that you must adhere to, you\nmight need to ensure that IAP cannot be enabled for applications across your organization, in specific projects, or in specific folders. You can control IAP enablement by setting\n[organization policy](/resource-manager/docs/organization-policy/overview) constraints.\n\nIAP organization policies\n-------------------------\n\nThe following organization policies restrict IAP enablement\nfor global and regional applications:\n\n- Global: `iap.requireGlobalIapWebDisabled`\n- Regional: `iap.requireRegionalIapWebDisabled`\n\nYou can use the organization policies to prevent admins from enabling IAP on the\nfollowing services:\n\n- [Compute Engine backend services](/assured-workloads/docs/restrict-creation-global-resources#org_iap), API reference: `backendServices/regionBackendServices` insert, update, and patch operations\n- App Engine applications, API reference: `Applications.updateApplication`\n\nWhen you enable one or both of the policy constraints, it prevents future\nenabling of IAP on global or regional applications respectively. Setting the\npolicy constraints does not automatically disable IAP protections that are in\nplace for existing Compute Engine or App Engine applications. For existing\napplications on which IAP is already enabled, ensure that you bring them into\ncompliance with the newly set policies without sacrificing your security\nposture.\n\nOrganization policies specifically and strictly control only IAP\nenablement and not other aspects of the IAP configuration.\nWhen an organization policy is in place, an administrator can update any IAP\nsettings, including OAuth Client information, for any application that is out of\ncompliance at the time of the policy enforcement. This allows you to maintain a\nstrong security posture while working to bring all of your services into\ncompliance with data residency requirements."]]
