The OAuth app you forgot about.
Every time an employee clicks "Sign in with Microsoft" or "Sign in with Google," they grant a third-party access. Years later, those grants are still live.
Every time an employee signs into a SaaS tool using "Sign in with Microsoft" or "Sign in with Google," they grant that tool a set of permissions — sometimes read email, sometimes access all files, sometimes send mail on behalf of. Those grants don't expire automatically. Years later, tools you stopped using, employees who left, and vendors who got breached still have access.
Why this is often the most-neglected control
OAuth grants are invisible by default. They're not in your user directory, not on your endpoints, not in most security reports. The admin center shows them, but nobody checks. Attackers who compromise a third-party SaaS tool can use its lingering OAuth grants to read email from your tenant directly — no password, no MFA, no login.
What lingering grants enable
“A marketing tool a small agency used two years ago still had Mail.Read access to their M365 tenant.”
Red flag: The tool had been breached in that time. Attackers read their leadership's email for six weeks using the OAuth grant alone.
“An intern's personal Zapier account had calendar access to every executive.”
Red flag: Intern left two years prior. Zapier zap was still running, logging meetings to a personal Google sheet nobody noticed.
The quarterly OAuth audit
- In Microsoft 365, go to Entra ID → Enterprise Applications and review granted permissions.
- In Google Workspace, go to Security → API Controls → App access control.
- Revoke any app that's no longer in active use.
- Revoke any app an ex-employee set up.
- For apps that remain, review what permissions they actually hold — least privilege applies.
We audit OAuth for clients.
A single OAuth review typically surfaces a dozen forgotten apps with access they shouldn't have. Quick, high-impact.
- 1Run an OAuth audit this quarter — it's one admin center page away.
- 2Revoke apps no longer in use and apps from ex-employees.
- 3Require admin approval for new OAuth grants going forward (configurable in M365 / Google).
- 4Add OAuth revocation to your offboarding checklist.
- 5Schedule quarterly OAuth reviews on the calendar.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Microsoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
ReadTip #18 · Cloud & SaaSShadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
Read