Article summary: Every time someone on your team clicks “Allow” to connect a third-party app, it receives persistent access to your business data. These connections accumulate quietly and rarely get reviewed. A third-party app permissions audit identifies what has access, removes what should not, and restores visibility over a part of your environment that most businesses have never formally looked at.
A staff member installs a scheduling add-on. Someone in accounting connects a budget tracking tool. A project manager links a task management platform to the shared inbox. Each takes about thirty seconds. Each one grants the app persistent access to your business data until someone actively takes that access away.
If someone takes actively takes that access away.
OAuth tokens do not expire on their own.
That means an app your team stopped using two years ago may still hold access to your accounts today. A regular third-party app permissions audit is how you find out what actually has access to your business and close the connections that should not still be open.
What OAuth Access Actually Means
OAuth is the protocol that lets third-party apps connect to platforms like Microsoft 365, Google Workspace, and Slack without needing your password. When a user authorises an app, they grant it a token. A token is a set of permissions that stays active until it is manually revoked.
The scope of those permissions varies widely. Some apps request narrow access, such as the ability to send a single type of calendar invite. Others request much broader rights: read and write access to all email, the ability to access files across your entire shared drive, or permission to act on behalf of the user.
But users almost never read the permissions list before clicking Allow.
This matters because the token does not know or care whether the app is still being used. A tool that a former employee set up to pull data from your shared drive still holds that access after they leave.
Research from Stitchflow found that 53% of security breaches involve orphaned accounts.
Third-party app tokens are among the most overlooked forms of orphaned access.
Microsoft’s own guidance on OAuth app management notes that many users install apps without closely reviewing what permissions they are granting, and IT teams often lack the visibility to track what has been authorised across the organisation.
What You Are Actually Looking For
Three categories of connections consistently come up in these reviews:
Apps no one is actively using
Platforms get replaced. Trials get abandoned. Tools get superseded by something built into Microsoft 365 or Google Workspace. The app is gone from the workflow, but the OAuth token stays active.
These are the easiest to remove because there is no operational disruption. The connection is already dead in practice.
Apps with permissions wider than the job requires
An app that sends automated notifications should not need full read and write access to your entire mailbox.
An app that manages social media posting should not need access to your file storage. The principle of least privilege (giving each tool only the access it genuinely needs) applies to third-party apps as much as it does to user accounts.
Reviewing permission scope helps you identify tools that have accumulated access far beyond their function.
Apps connected by staff who have left
When an employee is offboarded, their user account is typically disabled. But OAuth tokens granted by that account do not automatically disappear.
An app they authorised can continue operating under their credentials in some configurations, or at minimum leaves an unreviewed access record that IT was unaware of.
Checking who authorised each app is as important as checking which apps are connected.
How to Run the Audit
Microsoft 365
Navigate to the Microsoft Entra admin centre (formerly Azure Active Directory) and open Enterprise Applications. This shows every third-party app that has been granted access to your tenant. For each app, you can see which users have authorised it and what permissions it holds. To remove an app entirely, delete the enterprise application. To revoke access for a specific user, find that user’s assignments and remove them.
Google Workspace
In your Google Admin Console, go to Security, then Access and Data Control, then API Controls, then App Access Control. This shows all apps that have been authorised across your domain. Admins can block individual apps or configure which apps are allowed at all. Individual users can also review and remove their own connected apps at myaccount.google.com under Security, then Third-party apps with account access.
What to do with each app you find
For each connection in the list, ask four questions:
- Is this app still actively used by the team?
- Does the permission scope match what the app actually does?
- Was it authorised by a current employee?
- Is the vendor reputable and actively maintained?
If any answer is no, revoke the access. If you are uncertain whether removing it will disrupt a workflow, ask the relevant team before acting.
After revoking access, it is good practice to rotate the passwords for any account that was widely connected. p
Making This a Regular Practice
A single audit is useful. A recurring audit is a control.
For most small businesses, quarterly is the right interval.
At minimum, run a review whenever someone leaves the organisation. That timing ensures you can see which apps they authorised and make a deliberate decision about each one rather than leaving them in place indefinitely.
Building this into your offboarding checklist gives you the kind of structured visibility that prevents credential-based breaches from going unnoticed. OAuth tokens are credentials. They deserve the same discipline as passwords.
How Many Apps Currently Have Access to Your Business Accounts?
A third-party app permissions audit typically surfaces connections that no one on the current team was aware of, and removes access that should have been closed months or years earlier.
It is a straightforward review with a meaningful payoff in visibility and control. The first pass usually takes a few hours. Subsequent reviews are faster once you know what the baseline looks like.
If you’d like guidance on running this audit for your Microsoft 365 or Google Workspace environment, or help building it into your regular security practices, reach out to the Haxxess team. Call us at 705-222-8324 or contact us here.
Article FAQs
What is a third-party app permissions audit?
It is a structured review of all external applications that have been granted access to your business accounts to confirm each connection is still needed, is appropriately scoped, and was authorised by a current team member.
Do OAuth tokens expire on their own?
Most do not. OAuth access tokens granted to third-party apps typically remain valid until they are actively revoked, regardless of whether the app is still in use or whether the employee who authorised it is still with the organisation.
What happens if I revoke an app’s access and the team is still using it?
The app will lose the ability to connect to your business accounts until a user reauthorises it. For tools that are actively used, check with the relevant team before revoking. Most legitimate apps can be reconnected quickly, and the brief disruption is worth confirming the connection is intentional and appropriately scoped.
