How to Audit OAuth App Grants in Microsoft 365, Entra ID, and Google Workspace

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
OAuth consent phishing is one of the most effective identity attacks in modern enterprise environments. An attacker registers a malicious application in any Entra ID tenant, crafts a consent URL that requests access to the victim's mailbox and files, and sends it via phishing email. When the victim consents, the attacker receives a refresh token that provides persistent access -- access that survives password resets because it is not credential-based. Scattered Spider, LAPSUS$, and multiple nation-state actors have used OAuth consent phishing as a primary initial access technique. The defense is a complete audit of every OAuth grant in your tenant, revocation of unauthorized grants, and a consent policy that prevents future unauthorized grants. This guide covers the complete audit workflow for Microsoft 365 and Google Workspace.
Understanding OAuth Grant Types in Microsoft Entra ID
Microsoft Entra ID distinguishes between two OAuth grant types that require different audit approaches. Understanding the distinction is essential for scoping the audit.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Enumerating OAuth Grants: Entra ID Admin Portal
The Entra ID admin portal provides a graphical interface for auditing OAuth grants. It is appropriate for targeted investigation of specific applications but is not practical for complete tenant-wide enumeration at scale.
Navigate to Enterprise Applications in Entra ID
In the Azure portal or Entra admin center, navigate to Entra ID > Enterprise Applications. This lists all applications that have been granted access to your tenant -- both Microsoft first-party apps and third-party OAuth apps. Filter by 'Application type: All' to show all applications including those with no sign-in activity.
Review permissions for each third-party application
For each third-party application, click through to Permissions. Review both 'Delegated permissions' (user consent grants) and 'Application permissions' (admin consent grants). Flag any application with: Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All, User.ReadWrite.All, or full_access_as_user (Exchange Web Services full access). These are the highest-risk permission scopes.
Check the consent audit log
In Entra ID > Audit Logs, filter by Category: ApplicationManagement and Activity: Consent to application. This log shows every consent event with the granting user's identity, the application name and ID, the permission scopes consented to, and the timestamp. Export this log for the review period (last 90-180 days) to capture all recent consent grants.
Identify applications with no verified publisher
In Enterprise Applications, the publisher verification status is shown for each application. Applications with no verified publisher (displayed as 'unverified' in the consent dialog) are higher risk -- Microsoft's publisher verification process provides minimal but non-zero assurance that the organization publishing the app has confirmed their identity. Flag all unverified publisher applications with high-privilege permissions for immediate review.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Enumerating OAuth Grants: Microsoft Graph API
The Microsoft Graph API enables programmatic enumeration of all OAuth grants across the entire tenant -- the appropriate approach for large environments where portal-based review is impractical.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Enumerating OAuth Grants: Google Workspace
Google Workspace OAuth grants are managed through the Admin console's API Controls section and through the Google Workspace Admin SDK. The audit approach differs from Microsoft due to Google's permission model.
Review connected apps in Admin console
In the Google Workspace Admin console, navigate to Security > API Controls > App Access Control. This shows all third-party and internal apps that have been granted access to Google Workspace data. Filter by 'Trust' status -- Google distinguishes between trusted (admin-authorized), trusted with access, and untrusted apps. Review all apps with untrusted status that have been granted sensitive scopes.
Identify high-risk Google OAuth scopes
Flag applications with the following high-risk Google OAuth scopes: `https://mail.google.com/` (full Gmail access), `https://www.googleapis.com/auth/drive` (full Google Drive read/write), `https://www.googleapis.com/auth/contacts` (full Contacts access), `https://www.googleapis.com/auth/calendar` (full Calendar access), `https://www.googleapis.com/auth/admin.directory.user` (user directory read/write). These scopes provide broad access to user data equivalent to Microsoft Graph's high-risk scopes.
Enumerate grants via Admin SDK
Use the Google Workspace Admin SDK Tokens API to list all OAuth tokens granted by each user: `GET https://admin.googleapis.com/admin/directory/v1/users/{userKey}/tokens`. For tenant-wide enumeration, paginate through all users (GET /admin/directory/v1/users) and retrieve tokens for each. The response includes: `clientId` (OAuth client ID of the application), `displayText` (application name), `scopes` (granted scopes array), and `userKey` (the user who granted the token).
Block new untrusted app access
In Admin console > Security > API Controls > App Access Control, configure the trust policy. Setting 'Trust level: Limited' requires admin review before users can grant access to new third-party apps. Setting it to 'Don't allow users to access any third-party apps' blocks all user OAuth consent and requires admin whitelist approval for every app. Implement at minimum 'Limited' trust to require admin review for new grants after completing the initial audit and remediation.
Prioritizing High-Risk Grants for Remediation
A complete tenant OAuth grant enumeration in a large organization can surface hundreds of grants. Prioritization ensures remediation effort is focused on the highest-risk items first.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Revoking OAuth Grants
OAuth grant revocation removes the application's persistent access token -- the user must re-consent if they want to use the application again. Revocation is the appropriate response for unauthorized or suspicious grants.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Preventing Future Unauthorized Grants
Audit and remediation addresses existing risk. Preventing future unauthorized OAuth consent grants requires policy controls in both Microsoft and Google environments.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
OAuth grant audits are not a one-time exercise -- the tenant's OAuth grant surface changes every time a user consents to a new application, and new high-risk applications appear regularly. Complete the initial full-tenant enumeration, revoke all unauthorized or unrecognized grants, configure the user consent policy to require admin approval for high-privilege scopes, and establish a recurring audit cadence (quarterly minimum). Pair the audit workflow with a KQL detection rule in Microsoft Sentinel that alerts on new high-privilege consent events -- catching unauthorized grants within minutes of occurrence is substantially more effective than catching them weeks later in a quarterly audit.
Sources & references
- Microsoft OAuth 2.0 consent framework documentation
- CISA Alert AA23-347A: Scattered Spider OAuth phishing
- Microsoft Incident Response team OAuth attack research 2025
- Google Workspace Admin SDK OAuth scope documentation
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
