The OAuth grant nobody revoked
The third-party apps your team connected years ago still have live access to your email and files — and it bypasses MFA. How to find and revoke OAuth grants.
Three years ago, someone on your team wanted to try a scheduling tool. They clicked “Sign in with Google,” skimmed a consent screen, and got on with their day. The tool turned out to be fine. Nobody thought about it again.
That grant is still there. It can still read mail, or reach into the shared drive, or see every event on the calendar — whatever it asked for that afternoon. The person who approved it may have left the company. The tool may have been acquired, or breached, or quietly abandoned by its developer. None of that revokes the access. Access only goes away when someone deliberately takes it away, and almost nobody ever does.
This is the quiet failure: not a break-in, but a door you opened on purpose and forgot to close.
Why it stays invisible
OAuth grants don’t behave like passwords, and that’s exactly what makes them dangerous.
A password gets rotated. An account gets offboarded when someone leaves. MFA stands between an attacker and your data. But an OAuth grant is a standing permission that sits beside all of that. The third-party app already holds a token. It doesn’t log in, it doesn’t face your MFA prompt, it doesn’t trip the “new device” alert. It just keeps using the access you already gave it, indefinitely.
So when a vendor you connected to three years ago gets breached, the attacker doesn’t need to phish your staff or crack a password. They inherit a live, pre-authorised path into your email or files — one that bypasses the defences you actually think about. And because the grant was made by an individual employee, often without anyone in charge ever seeing it, there’s usually no record that the door exists at all.
Multiply that by every “Sign in with Google,” every Microsoft 365 add-in, every “connect your calendar” a dozen people clicked over the years, and you have an attack surface nobody is looking at — because looking at it was never anybody’s job.
Find it yourself
You can see your own exposure in about ten minutes. No tools required.
Google Workspace (admin):
- Admin console → Security → Access and data control → API controls.
- Open Manage Third-Party App Access. This lists every external app with access to your org’s data, and the scopes each one holds.
- Sort by access level. Anything with Gmail, Drive, or full-account scopes is what you care about most.
Google (individual account):
- Go to myaccount.google.com → Security → Your connections to third-party apps & services. This shows what your account has handed out.
Microsoft 365 / Entra ID (admin):
- Entra admin centre → Identity → Applications → Enterprise applications.
- Filter to apps users have consented to. Open each and check Permissions to see what it was granted.
Microsoft (individual account):
- Go to myapps.microsoft.com → Manage your apps, or your account’s Apps with access view.
You are looking for three things: apps you don’t recognise, apps nobody uses any more, and apps holding far broader access than they need (a meeting scheduler that can read all mail, say). Most lists contain at least one of each. The first time people run this, the usual reaction is mild alarm at how long the list is.
The fix
Finding the grants is most of the battle. Closing them, and keeping them closed, is the rest.
Revoke what you don’t need. Anything unrecognised, unused, or over-scoped: remove the grant. If it turns out something legitimate needed it, you’ll find out quickly and can re-add it deliberately — which is the point.
Stop the next forgotten door. The reason these pile up is that, by default, any employee can consent to almost any app. In Google, restrict third-party access so high-risk scopes need admin approval. In Microsoft, configure the admin consent workflow so risky consent requests route to you instead of being granted silently. This turns an invisible decision into a visible one.
Make it part of offboarding. When someone leaves, disabling their account doesn’t necessarily kill the app grants made under it. Add “review and revoke third-party grants” to your leaver checklist.
Look more than once. This isn’t a one-time clean-up. New apps get connected every month. A standing reminder to re-run the check each quarter is the difference between a tidy list and the same three-year pile rebuilding itself.
None of this requires a security team. It requires somebody deciding, once, that the connected-apps list is worth looking at — and then looking at it on a schedule.
That quarterly look is exactly the kind of thing that falls off the edge of a busy week. AuthScope watches OAuth grants across Google Workspace and Microsoft 365 continuously and flags the risky ones, so nobody has to remember to check. But the manual review above costs nothing but ten minutes — so do that first, today, whether or not you ever automate it.
One real, fixable exposure every week. Free.