Identity Security
14 min read

How to Audit OAuth App Grants in Microsoft 365, Entra ID, and Google Workspace

Token-based
OAuth access persists through password resets and MFA changes -- an attacker with a valid OAuth token retains mailbox access even after the user's credentials are rotated
Mail.ReadWrite
the highest-risk Microsoft Graph permission scope found in malicious OAuth app grants: grants persistent read and write access to the entire user mailbox
Admin consent
tenant-wide admin consent grants permissions for all users simultaneously -- a single admin-consented malicious app can access every mailbox in the organization
Entra ID audit
Entra ID Audit Logs record every OAuth consent event (Operation: Consent to application) with the granting user, application, and permission scopes -- the authoritative audit source

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

OAuth consent phishing is one of the most effective identity attacks in modern enterprise environments. An attacker registers a malicious application in any Entra ID tenant, crafts a consent URL that requests access to the victim's mailbox and files, and sends it via phishing email. When the victim consents, the attacker receives a refresh token that provides persistent access -- access that survives password resets because it is not credential-based. Scattered Spider, LAPSUS$, and multiple nation-state actors have used OAuth consent phishing as a primary initial access technique. The defense is a complete audit of every OAuth grant in your tenant, revocation of unauthorized grants, and a consent policy that prevents future unauthorized grants. This guide covers the complete audit workflow for Microsoft 365 and Google Workspace.

Understanding OAuth Grant Types in Microsoft Entra ID

Microsoft Entra ID distinguishes between two OAuth grant types that require different audit approaches. Understanding the distinction is essential for scoping the audit.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Enumerating OAuth Grants: Entra ID Admin Portal

The Entra ID admin portal provides a graphical interface for auditing OAuth grants. It is appropriate for targeted investigation of specific applications but is not practical for complete tenant-wide enumeration at scale.

1

Navigate to Enterprise Applications in Entra ID

In the Azure portal or Entra admin center, navigate to Entra ID > Enterprise Applications. This lists all applications that have been granted access to your tenant -- both Microsoft first-party apps and third-party OAuth apps. Filter by 'Application type: All' to show all applications including those with no sign-in activity.

2

Review permissions for each third-party application

For each third-party application, click through to Permissions. Review both 'Delegated permissions' (user consent grants) and 'Application permissions' (admin consent grants). Flag any application with: Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All, User.ReadWrite.All, or full_access_as_user (Exchange Web Services full access). These are the highest-risk permission scopes.

3

Check the consent audit log

In Entra ID > Audit Logs, filter by Category: ApplicationManagement and Activity: Consent to application. This log shows every consent event with the granting user's identity, the application name and ID, the permission scopes consented to, and the timestamp. Export this log for the review period (last 90-180 days) to capture all recent consent grants.

4

Identify applications with no verified publisher

In Enterprise Applications, the publisher verification status is shown for each application. Applications with no verified publisher (displayed as 'unverified' in the consent dialog) are higher risk -- Microsoft's publisher verification process provides minimal but non-zero assurance that the organization publishing the app has confirmed their identity. Flag all unverified publisher applications with high-privilege permissions for immediate review.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Enumerating OAuth Grants: Microsoft Graph API

The Microsoft Graph API enables programmatic enumeration of all OAuth grants across the entire tenant -- the appropriate approach for large environments where portal-based review is impractical.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Enumerating OAuth Grants: Google Workspace

Google Workspace OAuth grants are managed through the Admin console's API Controls section and through the Google Workspace Admin SDK. The audit approach differs from Microsoft due to Google's permission model.

1

Review connected apps in Admin console

In the Google Workspace Admin console, navigate to Security > API Controls > App Access Control. This shows all third-party and internal apps that have been granted access to Google Workspace data. Filter by 'Trust' status -- Google distinguishes between trusted (admin-authorized), trusted with access, and untrusted apps. Review all apps with untrusted status that have been granted sensitive scopes.

2

Identify high-risk Google OAuth scopes

Flag applications with the following high-risk Google OAuth scopes: `https://mail.google.com/` (full Gmail access), `https://www.googleapis.com/auth/drive` (full Google Drive read/write), `https://www.googleapis.com/auth/contacts` (full Contacts access), `https://www.googleapis.com/auth/calendar` (full Calendar access), `https://www.googleapis.com/auth/admin.directory.user` (user directory read/write). These scopes provide broad access to user data equivalent to Microsoft Graph's high-risk scopes.

3

Enumerate grants via Admin SDK

Use the Google Workspace Admin SDK Tokens API to list all OAuth tokens granted by each user: `GET https://admin.googleapis.com/admin/directory/v1/users/{userKey}/tokens`. For tenant-wide enumeration, paginate through all users (GET /admin/directory/v1/users) and retrieve tokens for each. The response includes: `clientId` (OAuth client ID of the application), `displayText` (application name), `scopes` (granted scopes array), and `userKey` (the user who granted the token).

4

Block new untrusted app access

In Admin console > Security > API Controls > App Access Control, configure the trust policy. Setting 'Trust level: Limited' requires admin review before users can grant access to new third-party apps. Setting it to 'Don't allow users to access any third-party apps' blocks all user OAuth consent and requires admin whitelist approval for every app. Implement at minimum 'Limited' trust to require admin review for new grants after completing the initial audit and remediation.

Prioritizing High-Risk Grants for Remediation

A complete tenant OAuth grant enumeration in a large organization can surface hundreds of grants. Prioritization ensures remediation effort is focused on the highest-risk items first.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Revoking OAuth Grants

OAuth grant revocation removes the application's persistent access token -- the user must re-consent if they want to use the application again. Revocation is the appropriate response for unauthorized or suspicious grants.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Preventing Future Unauthorized Grants

Audit and remediation addresses existing risk. Preventing future unauthorized OAuth consent grants requires policy controls in both Microsoft and Google environments.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

OAuth grant audits are not a one-time exercise -- the tenant's OAuth grant surface changes every time a user consents to a new application, and new high-risk applications appear regularly. Complete the initial full-tenant enumeration, revoke all unauthorized or unrecognized grants, configure the user consent policy to require admin approval for high-privilege scopes, and establish a recurring audit cadence (quarterly minimum). Pair the audit workflow with a KQL detection rule in Microsoft Sentinel that alerts on new high-privilege consent events -- catching unauthorized grants within minutes of occurrence is substantially more effective than catching them weeks later in a quarterly audit.

Sources & references

  1. Microsoft OAuth 2.0 consent framework documentation
  2. CISA Alert AA23-347A: Scattered Spider OAuth phishing
  3. Microsoft Incident Response team OAuth attack research 2025
  4. Google Workspace Admin SDK OAuth scope documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.