How to Audit and Revoke Third-Party App Permissions
Article summary: A third-party app permission audit gives you a clear picture of what has access to your data, cuts what isn’t needed, and closes a security gap that grows quietly over time. Quarterly reviews and a clear offboarding process cover most of the risk.
Think about the last time someone on your team connected a scheduling tool, a productivity app, or a design platform to your Google or Microsoft account. They clicked “authorize,” granted permissions, and moved on.
The problem is that authorization doesn’t expire. That app still has access today, even if the person who authorized it has left the company, the app is no longer in use, or the vendor has changed hands.
A third-party app permission audit is how you find these forgotten connections and cut the ones that no longer belong. It’s one of the most overlooked steps in business security maintenance and one of the most consequential.
Why Forgotten App Permissions Are a Security Problem
When someone authorizes a third-party app, they grant it an OAuth token. This is a credential that gives the app persistent access to specific data on their behalf, with no password required. OAuth (Open Authorization) is the industry-standard protocol behind “Sign in with Google” and similar flows.
The catch: OAuth tokens don’t expire on their own. Unless someone actively revokes them, they remain valid indefinitely.
In the 2024 Internet Archive breach, attackers exploited OAuth tokens that had remained valid and unrotated for 22 months, using that access to exfiltrate 7 terabytes of data.
According to analysis by Palo Alto Networks Unit 42, dormant integrations are forgotten backdoors. Even if the app itself is trustworthy, old tokens accumulate and expand your attack surface without anyone noticing.
What to Look for in an App Permission Audit
An audit surfaces three categories of problems:
- Apps connected by employees who have since left the company, whose permissions were never revoked
- Apps that are no longer in use but still have access to email, files, or contacts
- Apps with broader permissions than they need, such as read/write access to all files when they only require calendar data
The third category is the most common and the most overlooked.
Many apps request maximum permissions at setup because it’s simpler for them to develop that way. You can often reduce scope significantly without losing any functionality.
According to Verizon’s 2025 Data Breach Investigations Report, nearly 80% of all breaches involve compromised credentials or misuse of access. Over-permissioned third-party integrations fall squarely in that category.
Reducing unnecessary access is one of the most direct ways to shrink the attack surface. Third-party apps that are no longer needed represent standing access with no justification.
How to Run the Audit
Google Workspace
Users can review connected apps at myaccount.google.com > Security > Third-party apps with account access.
Admins can see and manage all apps across the organization through the Google Workspace Admin Console under Security > API Controls > App Access Control.
From there, you can block specific apps or restrict access entirely to approved apps only.
Microsoft 365
Individual users can review apps at myapps.microsoft.com. Admins have a more complete view through the Microsoft Entra admin center (formerly Azure Active Directory) under Enterprise Applications.
This lists every app with delegated permissions, the scopes granted, and the users who authorized it. Revocation is handled by removing the app assignment or deleting the OAuth grant directly.
After revoking access
After revoking access from apps that shouldn’t have it, rotate passwords for those connected accounts and set a 90-day reminder to repeat the audit.
This is the same diligence explored in our post on ghost accounts and forgotten app access: get visibility over what has access, and remove it promptly once it is no longer needed.
Making the Habit Stick
A single audit fixes today’s problem. A repeatable process prevents future ones. Three habits that keep third-party app access manageable:
- Require IT approval before employees connect new apps to company accounts
- Include app permission reviews in your employee offboarding checklist
- Run a full org-wide audit at least quarterly. Block the time now
This connects directly to the principle in our post on moving beyond basic compliance reviews: every access credential, including OAuth tokens, deserves the same scrutiny as a password. Treat them accordingly.
For organizations using Microsoft 365, Microsoft’s guidance on managing OAuth apps provides a detailed walkthrough of investigation and remediation. The documentation covers automated monitoring options for teams that want to move beyond manual quarterly reviews.
Ready to Get Visibility Into Your App Permissions?
Third-party app access is one of those areas where most businesses have more exposure than they realize. Unmanaged access is the problem, not the apps themselves. A quarterly review, a clear approval process, and a solid offboarding checklist cover most of the risk.
Unbound Digital helps small businesses identify, review, and manage third-party app permissions as part of a broader security posture assessment. Call us at 423-467-7777 or contact us online to schedule a consultation.
Article FAQs
Why don’t OAuth tokens expire on their own?
OAuth is designed to allow persistent, delegated access without requiring a password. Tokens remain valid until explicitly revoked, which means abandoned apps stay connected indefinitely unless someone actively removes them.
What happens if I just delete a user account without revoking their app permissions?
In many platforms, deleting a user account does not automatically revoke OAuth tokens issued by apps they connected to. Those tokens can continue providing access to company data. Explicit revocation through the admin console is required.
How often should we audit third-party app permissions?
Quarterly is a practical starting point. You should also review permissions whenever an employee leaves the company, whenever a vendor relationship ends, and any time you become aware of a breach involving a platform you’re connected to.
Are all third-party app connections risky?
Not inherently. The risk comes from unmanaged access: apps with permissions broader than they need, apps no longer in use, and tokens that have outlived their purpose. A review process that keeps permissions current and minimal is sufficient for most small businesses.