OAuth App Access Audit: A 2026 Checklist for Google, Microsoft, and SaaS Teams
Review connected apps, delegated scopes, admin consent, dormant integrations, tokens, offboarding, and rollback steps before a small SaaS connection becomes a data exposure.
OAuth is convenient because it avoids handing every app your password. It is risky because a small “connect” button can grant durable access to mail, files, calendars, contacts, CRM data, repositories, analytics, or admin APIs. In 2026, the useful security question is not whether OAuth is good or bad. The question is whether your team knows which connected apps exist, what scopes they hold, who approved them, whether they are still needed, and how to revoke them quickly. This checklist was reviewed on May 31, 2026 against Google, Microsoft, CISA, NIST, OWASP, and FTC resources.
Access-review matrix
| Question | Evidence to collect | Risk signal |
|---|---|---|
| Who owns the app? | Business owner and vendor contact | Nobody recognizes it |
| What scopes exist? | Delegated permissions and API access | Broad mail, file, admin, or offline access |
| Who consented? | User, admin, date, reason | Consent happened during a trial |
| Is it still used? | Recent sign-in or workflow evidence | Dormant but still authorized |
| How is it removed? | Revocation and user-impact plan | No rollback owner |
Inventory connected apps before judging them
Start with admin-console exports where possible, then compare them to user-visible connected-app pages. Personal user consent, admin consent, marketplace installs, browser extensions, mobile apps, automation connectors, and no-code workflow tools can all create access paths. Record app name, app ID, publisher, scopes, consent type, users, owner, last-used evidence, and business purpose. A spreadsheet is acceptable if it is complete and reviewed; a perfect tool with stale data is not.
Translate scopes into business language
A scope list can look harmless until someone explains it. “Read files” may include shared drives. “Send mail” can affect customers. “Offline access” may allow refresh tokens after the user closes the browser. “Directory read” can expose employee data. Translate technical scopes into plain consequences: what data can be read, changed, exported, or used to impersonate a workflow? Review high-impact scopes with the business owner, not only the security team.
Separate user consent from admin consent
User consent can be appropriate for low-risk tools, but sensitive teams need stronger controls. Admin consent should not mean “security approved forever.” It should include a reason, scope list, owner, review date, and removal plan. For Google Workspace and Microsoft Entra tenants, review app-control settings, publisher verification cues, risky app reports where available, and whether users can consent to unverified apps.
Watch for dormant integrations
Dormant OAuth grants are common after pilots, employee departures, vendor migrations, and one-time data exports. A dormant grant can still matter if tokens remain valid or the vendor account is compromised. During offboarding, remove user access to core systems and review connected apps tied to the departing employee’s account. During vendor cancellation, revoke OAuth grants in addition to cancelling the subscription.
Build a rollback playbook
For every high-scope app, write down how to disable the app, revoke user grants, rotate API tokens, notify users, preserve logs, and switch to a fallback workflow. The playbook should also say what not to do: do not delete evidence before incident review, do not revoke a mission-critical integration without business notice unless risk requires it, and do not assume uninstalling a browser add-on removes server-side consent.
Use least privilege when reconnecting
When replacing an app, prefer narrower scopes, service accounts or managed enterprise apps where appropriate, documented retention, and admin controls. Avoid connecting personal accounts to business data. If a vendor requests broad access, ask whether domain restriction, single-folder access, SCIM, SAML, or a dedicated integration account can reduce blast radius.
A quarterly review cadence
Quarterly, review high-scope apps and any app with admin consent. Twice a year, review the full inventory. Trigger an immediate review after a vendor ownership change, suspicious login, employee departure from a sensitive role, new regulatory requirement, or major permission change. Keep the review evidence simple enough that it actually happens.
FAQ
Should teams block all OAuth apps? No. Many integrations are legitimate. The goal is ownership, least privilege, and fast revocation.
What is the biggest red flag? Broad access, offline tokens, unknown publisher, no business owner, and no last-used evidence together.
Who should own the audit? Security or IT can run it, but each business workflow needs a named owner who can say whether the app is still required.