Article summary: Most businesses have connected dozens of third-party apps to their email, cloud storage, and collaboration tools, and then forgotten about them. A third-party app access audit lets you see exactly what’s connected, cut what isn’t needed, and close a security gap that’s easy to overlook. Done regularly, it takes under an hour and meaningfully shrinks your attack surface.

Think about the last time someone on your team signed up for a new productivity tool using “Sign in with Google” or “Connect to Microsoft 365.” 

It took about 10 seconds. The app got permission to read email, access files, or manage calendar entries. Then the team moved on. 

That happens dozens of times a year in a typical business.

The problem isn’t that your team uses connected apps. It’s that those connections rarely get reviewed. Over time, you end up with a growing list of third-party tools all with persistent access to your business data.

A regular third-party app access audit is how you get that list under control and keep it there. It’s one of the more practical ”good” cybersecurity habits a business can build.

Why Connected App Permissions Are a Security Risk

When someone authorizes a third-party app, they’re granting it an OAuth token. This is a credential that lets the app access specific data on their behalf without needing their password. OAuth (Open Authorization) is the industry-standard protocol that powers “Sign in with Google” and similar flows.

The catch: those tokens don’t expire on their own. 

Unless someone actively revokes access, an authorized app keeps its permissions indefinitely. This happens even if the person who authorized it has left the company, the app is no longer in use, or the vendor behind it has changed hands.

Attackers who exploited the 2024 Internet Archive breach used tokens that had remained valid and unrotated for 22 months.

That kind of long-lived, unmonitored access is a core reason third-party integrations make attractive targets. Dormant connections are forgotten backdoors.

Where to Look

The first step in a third-party app access audit is getting a full picture of what’s actually connected to your accounts. 

Here’s where to check in the two most common business platforms.

Google Workspace

In the Google Admin Console, navigate to Security > Access and Data Control > API Controls > App Access Control. 

This lists every third-party app authorized to access your Google Workspace data, along with the permissions each one holds.

Microsoft 365

In the Microsoft Entra Admin Center (formerly Azure Active Directory), go to Identity > Enterprise Applications. From there, you can review app permissions by user and see what each app has been granted access to.

For smaller teams without admin access, individual users can check their own connected apps. In Google, visit myaccount.google.com > Security > Third-party apps with account access. 

In Microsoft, check myapps.microsoft.com. Microsoft notes that users often click through consent prompts without reviewing the scope of what they’re granting.

How to Decide What to Keep and What to Cut

Not every connected app is a problem. The goal isn’t to disconnect everything. It’s to make sure each connection is deliberate and still justified.

Questions to ask about each app

• Is this app still actively used? If nobody has opened it in six months, it probably doesn’t need ongoing access.

• Does it need the permissions it has? An app asking for full email access when it only sends notifications is asking for more than it needs.

• Was it authorized by a current employee? Former employees may have connected apps that are still active, even after their accounts were closed.

• Is the vendor reputable? Look for a clear privacy policy, active maintenance, and a legitimate business presence.

Red flags to watch for

• Apps you don’t recognize by name

• Apps authorized by users who no longer work at the company

• Apps with admin-level or full-mailbox access that aren’t business-critical tools

• Apps that were authorized by a small number of users with no clear IT approval

How to Revoke Access

Once you’ve identified apps to remove, the process is straightforward.

In Google Workspace, select the app in the Admin Console and choose “Block Access,” or remove the specific OAuth grant from an individual user’s account. 

In Microsoft 365, go to the Enterprise Applications page in Entra and remove the app’s assignment. Individual users can also disconnect apps directly from their personal security settings.

After revoking access, it’s good practice to rotate passwords for connected accounts.

A few habits that keep things manageable going forward:

• Run an app access review at least quarterly

• Require IT approval before new apps are connected to company accounts

• Add app revocation to your employee offboarding checklist

Ready to Get Your App Permissions Under Control?

Third-party app access is one of those areas where businesses often have more exposure than they realize. The apps themselves aren’t the problem. The unmanaged access is.

A quarterly review, a clear approval process, and a solid offboarding checklist will cover most of the risk. None of it requires specialized tools or deep technical expertise. It does require someone to own the process.

If you’d like help running your first audit, setting up ongoing monitoring, or building an app approval workflow for your team, BrainStomp can help. Reach out at brainstomp.com/contact.

Article FAQs

What is a third-party app access audit?

It’s a review of all external applications that have been granted permission to access your business accounts to confirm each one is still needed and appropriately scoped.

How often should I audit third-party app permissions?

Quarterly is a reasonable baseline for most businesses. High-risk environments or those handling regulated data may want to review monthly. At minimum, run a check whenever an employee leaves the company.

Do OAuth tokens expire on their own?

Not usually. Most OAuth tokens remain valid until someone actively revokes them. That means apps you authorized years ago may still have access to your accounts today.

What should I do if I find an app I don’t recognize?

Revoke its access immediately. Then check any available audit logs for that app to see what data it may have accessed. If you see anything unusual, treat it as a potential security incident and investigate further.

Can individual employees revoke app access themselves?

Yes. In Google, users can visit myaccount.google.com > Security > Third-party apps with account access. In Microsoft, myapps.microsoft.com shows connected apps. That said, admins should also manage this at the organizational level to ensure full visibility across the business.