OAuth Apps
Review and manage OAuth applications that have been granted access to your Microsoft 365 environment. Monitor app permissions, user consents, and data access to identify overprivileged or risky applications.
Warning: OAuth apps can access Microsoft 365 data on behalf of users. Malicious apps may abuse consent grants for data theft or account takeover. Regular review is essential.
App Overview
- 156 — Total Apps
- 8 — High Privilege
- 23 — Unverified Publisher
- 89 — Microsoft Verified
App Categories
Enterprise Apps
Service principals for third-party SaaS applications. Typically added via admin consent or user consent with IT approval.
User Consented Apps
Apps individual users have granted permissions to. May include personal productivity tools or browser extensions.
Microsoft First-Party
Microsoft’s own applications including Office, Teams, Power Platform. Pre-authorized with appropriate permissions.
Line of Business Apps
Custom applications registered in your tenant. Developed internally or by partners specifically for your organization.
App Details
| Property | Description |
|---|---|
| App Name | Display name of the application |
| Publisher | Company or developer who created the app |
| Verification Status | Microsoft verified, Publisher attested, or Unverified |
| Consent Type | Admin consent or User consent |
| Permissions | Delegated and application permissions granted |
| Users | Number of users who have consented |
| Last Used | Most recent API access by the app |
Permission Types
Delegated Permissions
App acts on behalf of a signed-in user. Access limited to what the user can access. Most common for user-facing apps.
User.Read— Read user profileMail.Read— Read user’s mailFiles.Read— Read user’s files
Application Permissions
App acts as itself without a user. Can access all data of the granted type. Higher risk — requires admin consent.
Mail.Read.All— Read all mailboxesUser.Read.All— Read all usersDirectory.Read.All— Read directory
High-Risk Permissions
These permissions grant extensive access and should be carefully reviewed:
Mail & Calendar
Mail.ReadWrite.AllMail.SendCalendars.ReadWrite.All
Directory & Users
Directory.ReadWrite.AllUser.ReadWrite.AllRoleManagement.ReadWrite.Directory
Files & Sites
Files.ReadWrite.AllSites.FullControl.AllSites.ReadWrite.All
Application
Application.ReadWrite.AllAppRoleAssignment.ReadWrite.All
App Actions
Review Permissions
Examine all granted permissions. Verify they align with the app’s stated purpose and business need.
Revoke Consent
Remove user consents or admin consent. App loses access to Microsoft 365 data immediately.
Block App
Disable the application entirely. Users cannot sign in or grant new consents.
View Activity
Check sign-in logs and audit logs for app activity. Identify unusual data access patterns.
Consent Settings
User Consent Settings
Control what apps users can consent to without admin approval:
- Allow user consent for all apps — Users can consent to any app (not recommended)
- Allow user consent for verified publishers — Only Microsoft-verified publishers (recommended)
- Do not allow user consent — All apps require admin consent
Admin Consent Workflow
When users request access to apps requiring admin consent, requests are sent to designated approvers. Configure which admins can approve and notification settings.
Risk Indicators
Unverified Publisher with High Privileges
Apps from unknown publishers requesting sensitive permissions like Mail.ReadWrite.All should be treated with extreme caution.
Recently Created App with Broad Consent
New apps that quickly gain many user consents may indicate a phishing or consent grant attack.
Overprivileged App
Apps requesting more permissions than needed for their stated function should be reviewed.
Dormant App with Permissions
Apps that haven’t been used recently but retain access permissions. Consider revoking unused consents.
Best Practices
- Restrict user consent to verified publishers — Only allow users to consent to apps from Microsoft-verified publishers.
- Review apps quarterly — Audit OAuth apps regularly and revoke unused or suspicious consents.
- Enable admin consent workflow — Let users request access while maintaining IT oversight.
- Alert on high-risk consent grants — Configure alerts for apps granted sensitive permissions.
API Reference
GET /api/security/oauth-apps— List all OAuth applicationsGET /api/security/oauth-apps/:appId— Get app details and permissionsDELETE /api/security/oauth-apps/:appId/consent— Revoke all consents for appPOST /api/security/oauth-apps/:appId/disable— Block/disable applicationGET /api/security/oauth-apps/high-risk— List high-risk OAuth apps