How to Audit Your SaaS App Permissions in M365 and Google Workspace
The average M365 tenant has 40+ third-party apps with OAuth access. Most were authorised by individual employees during free trials, product evaluations, or one-off integrations โ and never reviewed again. Some have read access to all email. Some have write access to all files. A few have admin-level permissions that most IT teams don't know about. Here's how to find them and what to do.
Why OAuth app sprawl is a real security risk
OAuth lets users grant third-party applications access to their Google or Microsoft account without sharing their password. The problem: the access granted is often far broader than necessary and persists indefinitely โ even after the user has stopped using the app, left the company, or the trial has expired.
- Compromised vendor: If a third-party app with read access to your M365 mailboxes is breached, the attacker inherits that access to all connected accounts.
- Malicious OAuth app: Attackers distribute fake "productivity tools" that request broad permissions. Once authorised, they have persistent access without needing credentials.
- Stale access after offboarding: An employee leaves but their authorised apps retain access. The user's OAuth tokens often outlive the deactivated account.
- Privilege escalation: An app with admin consent can be used to create new admin users or exfiltrate directory data.
Audit OAuth apps in Microsoft 365
Via the Microsoft Entra admin center
- Go to Microsoft Entra admin center โ Identity โ Applications โ Enterprise Applications
- Filter by "Application type: All Applications" and review the list
- For each app, check: Permissions granted, Users assigned, Last sign-in activity
- Sort by "Last activity" โ apps with no activity in 90+ days are strong candidates for removal
Via Microsoft Defender for Cloud Apps
If you have M365 E5 or Defender for Cloud Apps, go to Cloud Apps โ OAuth Apps. This gives you a risk score per app, permission scope breakdown, and which users have authorised it.
High-risk permission scopes to flag immediately
| Scope | What it grants | Risk |
|---|---|---|
Mail.ReadWrite | Read and modify all emails in all user mailboxes | Critical |
Directory.ReadWrite.All | Read and write all directory data including users and groups | Critical |
Files.ReadWrite.All | Read and write all files in SharePoint and OneDrive | Critical |
User.ReadWrite.All | Create, update, and delete all users in the directory | Critical |
Mail.Read | Read all emails in all mailboxes | High |
Calendars.ReadWrite | Read and modify all calendar events | Medium |
Audit OAuth apps in Google Workspace
Via the Google Admin Console
- Go to admin.google.com โ Security โ Access and data control โ API controls
- Click "Manage Third-Party App Access" to see all connected apps
- Filter by "Access type: Has access to Google data"
- Review the OAuth scopes column โ look for apps with access to Gmail, Drive, or Admin SDK
- Click any app to see which users have it connected and what data it can access
High-risk Google OAuth scopes
| Scope | What it grants | Risk |
|---|---|---|
https://mail.google.com/ | Full Gmail access โ read, send, delete all emails | Critical |
https://www.googleapis.com/auth/drive | Full Drive access โ read, write, delete all files | Critical |
https://www.googleapis.com/auth/admin.directory.user | Manage users, read user info across the org | Critical |
https://www.googleapis.com/auth/gmail.readonly | Read all Gmail messages | High |
https://www.googleapis.com/auth/contacts | Read and write all Google Contacts | Medium |
Google's verdict system: Google labels each third-party app as "Verified", "Unverified", or "Google-owned". Unverified apps have not passed Google's security review โ treat any unverified app with broad scopes as high-risk until proven otherwise.
What to revoke, block, or restrict
- Revoke immediately: Apps with critical-scope permissions that no one recognises or actively uses; apps from vendors no longer in your stack; any app authorised by accounts that have been deactivated
- Review with the team: Apps authorised by more than 5 users with Mail.Read or Files.ReadWrite permissions; apps with no activity in the last 30 days
- Restrict to admin consent: Any future app requiring high-risk scopes must go through IT approval before any user can authorise it (enabled in Entra ID and Google Admin Console)
OAuth app audit checklist
- Log in to Entra admin center and review all enterprise applications
- Flag any app with
Mail.ReadWrite,Directory.ReadWrite.All, orFiles.ReadWrite.Allpermissions - Check Google Admin โ API controls โ Third-party app access
- Flag any app with full Gmail or Drive scope
- Sort by last activity โ revoke all apps unused for 90+ days
- Remove OAuth access for any app associated with a deactivated user account
- Enable "Require admin approval" for new apps requesting high-risk scopes (both M365 and GWS)
- Schedule this audit quarterly (or enable automated weekly monitoring)
Automate your OAuth app audit โ weekly
Workspace Posture Pro audits your M365 or Google Workspace OAuth apps every Monday and alerts you to new high-risk app authorisations, broad permission scopes, and stale app access before they become incidents.
Set Up Workspace Posture Pro โ $19/mo โGet security guides like this in your inbox
No spam. Unsubscribe any time.