When you roll out Asana across a large organisation, integrations can’t be a free-for-all. You need centralised control (what apps are allowed), least-privilege access (OAuth scopes), service accounts (not personal tokens), and auditing (logs to your SIEM). Asana provides all of that via the Admin Console → Apps and related security features.

Why this matters

Most “problems” with integrations are governance problems: shadow OAuth apps, over-broad scopes, and no audit trail. Asana now offers App management to monitor/allow/block apps and tokens, plus Audit Log API and a Splunk app for continuous monitoring. OAuth permission scopes reduce risk by limiting what each app can do.

What’s new / policy highlights

• App management (Admin Console → Apps): Super admins can approve/deny third-party apps, review usage, and control Personal Access Tokens (PATs) and Service accounts centrally.

• Scoped OAuth (2025): Developers/integrations request only the permissions they need; users see scope prompts during consent. This is now the default for new apps.

• Granular workspace controls: Asana refined blocking so restrictions can be workspace-specific, avoiding accidental blocks in other workspaces users belong to.

• Audit & SIEM: Enterprise orgs can export audit events and stream them to Splunk (CIM-compatible) for alerting and investigations.

The enterprise playbook (step-by-step)

1) Set your integration policy

In Admin Console → Security → App management, define how apps are allowed:

• Allow-list approved apps (e.g., Slack, Google Drive, Zoom); block everything else until reviewed.

• Decide whether PATs are permitted (recommended: off; use service accounts instead). help.asana.com

Tip: Capture this policy in your internal runbook and link it from a pinned message in your Asana Announcement project.

2) Use service accounts (not user tokens)

Create a Service account for system-to-system integrations and keep credentials in your vault. Benefits: central lifecycle, no license charge in many enterprise contexts, and API access independent of staff changes. Admin Console → Apps → Service accounts → Add. help.asana.com+1

3) Approve and scope integrations

For each app:

• Review the permissions/scopes requested and data flow (who can read/write what).

• Approve for your production workspace(s) only; use a separate sandbox workspace for testing. Asana Docs+1

4) Connect your core tools (with the right settings)

• Slack + Asana: Allow the app, then enable message-to-task, task previews, and channel notifications. Decide whether creation is allowed in all projects or specific ones. Train users to convert messages to tasks (with assignee + due date) rather than @-mention ping-pong. help.asana.com+1

• Google Drive / Workspace: Approve Drive and Calendar integrations so files attach as links (respecting Google permissions) and calendars sync. Ensure your Google sharing policy aligns (e.g., external share blocks). help.asana.com

• Zoom: Enable meeting creation and automatic logging of recordings/transcripts back to Asana to reduce admin time and retain context. help.asana.com

Browse the full catalogue in Asana → Apps to standardise on supported connectors. Asana

5) Monitor with the Audit Log API (and your SIEM)

Stream audit events (logins, app authorisations, token creation, admin changes) to Splunk or similar. Alert on risky patterns (e.g., new app authorisation outside business hours, sudden surge in token creation). Asana Docs+1

6) Educate and enforce

Point admins to Asana Academy’s “Manage your apps and access” and “Set up apps and AI tools” courses. Embed a quarterly review of app usage and remove stale connections. academy.asana.com+1

Practical examples (ready to replicate)

• IT-approved Slack workflow: Allow Slack org-wide; restrict task creation to approved portfolios; log all app authorisations to Splunk; disable PATs. Result: fewer untracked tasks and a clean audit trail.

• Drive governance: Enable Drive attachments; rely on Google’s native permissions rather than duplicating files. Add a dashboard to flag tasks linking to externally shared files.

• Service-account integrations: Use a service account token for HRIS → Asana provisioning or backup tooling, not a personal token; rotate regularly.

FAQs

What types of apps can I integrate with Asana?
Hundreds, including Slack, Google Drive and Zoom; check the catalogue in Asana → Apps for vetted connectors. Asana

How do I enforce least-privilege?
Require OAuth scopes for new integrations and reject apps that request unnecessary permissions. Asana Forum

PATs or service accounts — which should we use?
Prefer service accounts for system integrations; they’re centrally managed and don’t depend on a staff member’s account. help.asana.com

Can I limit integrations by workspace?
Yes — Asana has refined controls so blocks/approvals can be workspace-specific, reducing collateral restrictions across other workspaces a user may belong to. Asana Forum

How do we monitor changes and incidents?
Use the Audit Log API and Asana’s Splunk integration to alert on sensitive events (e.g., new OAuth app, token creation). Asana Docs+1