How to Audit OAuth Grants Across Google & Microsoft in One Afternoon
- Martin Snyder
- Mar 18
- 4 min read
OAuth tokens can access files, inboxes, and cloud data without reauthentication. Here’s how to audit OAuth grants across Google Workspace and Microsoft 365 in a single afternoon.
OAuth Is Quiet — That’s the Problem
OAuth is one of the most powerful mechanisms in modern SaaS environments.
It allows:
Third-party applications to access files
AI assistants to read documents
Automation tools to sync data
Integrations to connect systems
All without storing passwords.
But OAuth grants are often:
Persistent
Broad in scope
Rarely reviewed
Detached from user lifecycle controls
If you are concerned about AI usage in your organization, understanding OAuth exposure is critical — because almost every SaaS service now leverages AI, and many of those AI features operate through OAuth permissions.
If an AI-enabled application has file access through OAuth, it can process that data — whether security reviewed it or not.
Why OAuth Audits Matter More Than Ever
According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:
97% of SaaS applications are unknown to IT
1% of SaaS apps use OAuth, with a subset requesting high-risk scopes
Less than 1% of SaaS accounts enforce MFA
OAuth frequently bypasses SSO enforcement and MFA reauthentication.
CISA’s Secure Cloud Business Applications (SCuBA) guidance highlights delegated permissions as durable access paths that can survive offboarding and evade centralized control:https://www.cisa.gov/secure-cloud-business-applications-scuba
An OAuth grant can outlive the employee who created it.
A Practical OAuth Audit Plan (One Afternoon)
Step 1: Export OAuth Grants from Google Workspace
In Google Admin Console:
Go to Security → Access and Data Control → API Controls
Review App Access Control
Export:
Connected applications
OAuth scopes granted
Associated users
Focus on applications requesting:
Google Drive read/write
Gmail access
Admin-level scopes
Offline access
High-risk scopes combined with persistent access should be escalated.
Step 2: Export OAuth & Enterprise App Permissions from Microsoft 365
In Microsoft Entra ID (Azure AD):
Go to Enterprise Applications
Review Permissions
Export:
Delegated permissions
Application permissions
Admin consent status
Pay attention to:
Files.ReadWrite.All
Directory.ReadWrite.All
Offline access
Application permissions are particularly sensitive because they can operate without user interaction.
Step 3: Classify OAuth Grants by Risk
For each OAuth-connected app, evaluate:
Data Reach
Does it access files, inboxes, or directory data?
Scope Breadth
Read-only vs read/write vs admin-level?
Persistence
Does it have offline access or long-lived tokens?
AI Enablement
Does the platform leverage AI features that process data?
Because nearly every SaaS platform now integrates AI, OAuth access often means AI has visibility into corporate data.
If you cannot answer how that data is processed, you have governance exposure.
Step 4: Identify Ownership Gaps
For each high-risk OAuth app, ask:
Who approved it?
Is it still needed?
Is there a business owner?
Can it be revoked centrally?
Frameworks like the NIST Privacy Framework and ISO/IEC 27001 emphasize accountability and traceability across systems:
Unowned OAuth grants are compliance risks.
Step 5: Revoke or Restrict High-Risk Access
Focus first on:
Apps with broad file access
AI-enabled platforms processing sensitive data
Tokens belonging to former employees
Applications without clear ownership
OAuth audits are not theoretical exercises.
They are immediate attack surface reduction.
The Faster Way: Use Automated OAuth Discovery
Manual audits work — once.
But OAuth environments change constantly.
New integrations appear daily. AI features expand quietly.
Waldo Security offers a Free OAuth Discovery Tool that helps organizations:
Discover OAuth-connected applications across Google and Microsoft
Identify high-risk scopes
Surface delegated access and application permissions
Highlight AI-enabled SaaS exposure
You can access it here:
If you are serious about understanding AI risk inside your SaaS ecosystem, auditing OAuth is the fastest place to start.
Why OAuth Discovery Is Foundational to AI Governance
AI governance begins with data access.
If an AI-powered SaaS application has OAuth access to:
Documents
Emails
Cloud storage
CRM records
Then AI systems are interacting with your data — whether you formally approved that workflow or not.
You cannot govern AI without governing OAuth.
And you cannot govern OAuth without discovering it first.
From One-Time Audit to Continuous Control
Waldo Security’s SaaS & Cloud Discovery Engine extends OAuth discovery by:
Identifying known and unknown SaaS platforms
Surfacing OAuth and non-human identities
Detecting Shadow CSP accounts
Mapping SaaS exposure to compliance and AI governance frameworks
Because almost every SaaS platform now leverages AI, OAuth visibility is no longer optional.
It is foundational.
Conclusion: OAuth Is the Quietest Risk in Your Environment
OAuth was designed for convenience.
But convenience without visibility creates exposure.
If you are concerned about:
Shadow SaaS
AI-driven data processing
Persistent delegated access
Compliance accountability
Start with OAuth.
Audit it.
Classify it.
Control it.
And if you want a faster way to begin, use Waldo Security’s Free OAuth Discovery Tool:
For broader SaaS and AI exposure insights, explore the 2025 SaaS & Cloud Discovery Report:https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report
About Waldo Security
Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, Shadow IT, and AI-enabled SaaS exposure, Waldo enables security teams to defend the identity perimeter with continuous evidence.
Comments