Who Authorized That App? A 20-Minute OAuth Audit for Microsoft 365, Google Workspace, and Salesforce

Open your Microsoft 365 admin center and look at the list of apps your team has connected over the years. Go ahead — I'll wait. If you're like most of the owners I talk to, you've never opened that screen, and the list is longer than you'd guess.

Every entry on it is a door. At some point someone clicked "Sign in with Microsoft" or "Connect your Google account" on a scheduling tool, an email plugin, an AI note-taker, and granted it access. The tool kept a key. The person moved on. Years later that key is still hanging by the back door, and nobody remembers cutting it.

A login you do once. A key that stays.

When you "Sign in with Microsoft" or let an app connect to your Google or Salesforce account, you're using OAuth. It's the plumbing behind every "Sign in with" button. Worth understanding is the part nobody explains: you log in once, but the app gets a token — a standing key it reuses on its own, with no password prompt and no second look.

Some of those tokens can read your email. Some can reach every file in your drive, or your entire customer list. Many keep working long after the employee who approved them has left. That's the bargain we all make for software that just works, and most days it's fine.

The forgotten ones are the problem.

Why I'm bringing this up now

A market-intelligence platform that a lot of sales teams rely on was breached recently, and the attackers never needed anyone's password. They used stolen OAuth tokens — the standing keys customers had granted that vendor — to reach into multiple companies' Salesforce data, pull it out, and then extort them over it. BleepingComputer and The Hacker News have both tracked the campaign as it spread.

Sit with that for a second. The vendor got hacked, but the loss happened inside its customers' systems, through a connection each of those customers had approved and forgotten. That's the shape of SaaS supply-chain risk. You rarely get breached head-on. A tool you trusted does, and your access rides along with it.

You can't stop your vendors from getting breached. You can decide how many standing keys to your business they're holding when it happens.

The 20-minute audit

You don't need a security team for this. You need twenty minutes and admin access. Here's where to look in the three places most small businesses actually live.

Microsoft 365. In the admin center, go to Enterprise applications, then review the apps and their permissions. While you're there, open Consent and permissions → User consent settings and check whether any employee is allowed to approve new apps on their own. Often they are, which is how the list got so long.

Google Workspace. In the Admin console, go to Security → API controls → App access control, then Manage third-party app access. You'll see every app connected to your accounts and exactly what each can touch.

Salesforce. In Setup, search for Connected Apps OAuth Usage. That screen lists every connected app, how many users authorized it, and lets you revoke one on the spot.

For each app, you're answering four plain questions: What is this? Who actually uses it? What can it touch? When did anyone last use it?

What to cut, and what to keep

Most of what you find will be harmless and still in use. Leave those. Go after the rest with a simple rule — least privilege, which just means an app should hold the least access it needs to do its job, and nothing more.

Cut these without much agonizing:

• Anything nobody recognizes or uses. If no one can say what it's for, revoke it. A real tool gets reconnected in thirty seconds; a malicious one doesn't come back.
• Broad scopes on small tools. A meeting scheduler asking to "read and send mail as you" or keep "offline access" is holding far more than it needs.
• Apps tied to people who've left. Departed-employee tokens are exactly what attackers hunt for, because no one is watching them.
• Personal accounts wired into work data. A staffer's personal Gmail or free AI account connected to company files is a door you don't control.

Then close the barn door: in Microsoft 365 and Google Workspace, turn off blanket user consent so new app connections need an admin's nod. It's a small amount of friction that ends the "how did that get there" problem for good.

Key takeaways

• An OAuth "Sign in with" connection is a standing key, not a one-time login — it keeps working until someone revokes it.
• When a SaaS vendor is breached, the damage often travels through the app connections their customers granted and forgot.
• You can review every connected app in Microsoft 365, Google Workspace, and Salesforce yourself, in about twenty minutes.
• Revoke the unused, the over-permissioned, and the orphaned — then require admin approval for new ones.
• Put it on the calendar quarterly. The list grows back.

I know this is the kind of task that never makes it to the top of the pile. It's invisible right up until the morning it isn't. If you'd rather not hunt through three admin consoles yourself — or you want this run on a schedule and watched between reviews — that's a good chunk of what we do. At Amoeba Networks we help small businesses across the New York metro and the Puget Sound area tighten exactly this kind of managed cybersecurity, and it matters most for professional-services firms running on a stack of connected SaaS tools and confidential client data. If your connected-apps list is a mystery, let's take a look together.