Free guide · no email gate

How to review OAuth apps and connected SaaS access

Every "Sign in with Google" and "Connect to Microsoft 365" click created a standing grant. Most teams have dozens, some from tools they cancelled years ago. This guide shows you how to find them, judge them, and revoke them without breaking the ones you need.

What an OAuth grant actually is

An OAuth grant is standing permission for a third-party app to act on your data without a password: read your mail, edit your files, manage your calendar, or query your CRM. Grants do not expire when you stop using the tool, do not disappear when you cancel the subscription, and usually survive the departure of the person who approved them. That persistence is what makes them worth reviewing.

Step 1: Build the inventory

  • Google Workspace: Admin Console, Security, API controls, App access control. Export the list of connected apps, users, and scopes.
  • Microsoft 365: Entra admin center, Enterprise applications. Review both user consents and admin consents.
  • Do the same inside major SaaS tools: Slack apps, HubSpot connected apps, Shopify private and custom apps, GitHub OAuth apps and personal tokens.
  • Record for each: app name, vendor, scopes, number of users, who consented, and last-use data where available.

Step 2: Judge each grant

Ask four questions per app. The answers sort the list fast:

  • Do we still use this? If nobody can name the person using it, the default is revoke.
  • Is the scope proportional? A signature tool needs send access, not full mailbox read. Over-scoped but needed apps get narrowed, not removed.
  • Do we trust the vendor with this data today? Tools get acquired, abandoned, and breached. Trust from 2022 is not trust now.
  • Who owns the relationship? Every kept grant needs a named owner. Ownerless grants become permanent by default.

Step 3: Revoke safely

  • Before revoking, check whether an automation or integration depends on the grant. Revocation is how invoice syncs and lead flows die silently.
  • Revoke in the platform's admin surface, not just by cancelling the subscription. Cancellation rarely revokes tokens.
  • For apps kept: document owner, purpose, and scope in one register, and set a review cadence. Quarterly is enough for most teams.
  • Set the policy going forward: in Google Workspace, restrict which apps can be granted high-risk scopes; in Microsoft 365, require admin consent for high-privilege permissions.

Where this goes wrong

The two failure modes are opposite: teams that never revoke anything, and teams that revoke aggressively and break their own operations. Both come from the same gap, nobody knows what depends on what. That dependency mapping is the core of VXSec's Secure Automation Review, and OAuth findings are a standing category in every Access and Offboarding Audit. VXSec has also done the other side of this work, building and repairing OAuth token handling in production integrations, which is why dependency checks come before revocations in every engagement.

Dozens of grants and no idea which are safe to cut?

The review maps every grant and automation to an owner and a dependency, then gives you a revoke list you can approve with confidence.

Book a 15-minute scope check