How to Audit Microsoft 365 App Permissions and OAuth Grants

To audit OAuth app permissions in Microsoft 365, navigate to the Microsoft Entra admin centre (entra.microsoft.com), then Azure Active Directory → Enterprise Applications → All Applications. Filter for user-consented applications to see what employees have authorised with their Microsoft accounts. Review permissions — specifically Mail.Read, Files.Read.All, and Calendars.Read — and revoke access for any application you do not recognise or have not approved through your IT process.

Why Microsoft 365 OAuth grants are a governance blind spot

Microsoft 365 is the productivity backbone of most UK SMEs. It is also where employees most frequently grant third-party applications access to sensitive business data — and where that access is least often reviewed.

Unlike Google Workspace, where the OAuth admin console is relatively straightforward, Microsoft's permission management is spread across the Entra admin centre, the Azure portal, and per-user settings — which means it gets audited less often. The result is a typical Microsoft 365 tenant with dozens of third-party applications granted access to email, calendar, and files, most of which have never been formally approved and some of which belong to employees who have left the business.

Step-by-step: auditing app permissions in Microsoft 365

Step 1: Access the Entra admin centre

Navigate to entra.microsoft.com (or portal.azure.com → Azure Active Directory). You need Global Administrator or Application Administrator privileges to view and manage enterprise application consents. Cloud Application Administrator is the minimum role for reviewing and revoking user consent grants.

Step 2: Navigate to Enterprise Applications

In the left-hand menu, select Enterprise Applications, then All Applications. This shows every application registered in your Azure AD tenant, including Microsoft's own apps and every third-party app that has been granted access. The list can be long — use filters to focus your audit.

Step 3: Filter for user-consented apps

Apply the following filters to focus on third-party apps with user-level consent:

• Application type: Enterprise applications
• Consent type: User consented

This narrows the list to applications that users have authorised themselves, without admin approval — the primary source of shadow AI in Microsoft 365 environments.

Step 4: Review permissions for each application

Click each application and navigate to Permissions. You will see two categories: admin consent permissions (granted by an admin for all users) and user consent permissions (granted by individual users). Focus on applications with the following Microsoft Graph permissions, which represent the highest data access risk:

• Mail.Read / Mail.ReadWrite — read or modify all email
• Files.Read.All / Files.ReadWrite.All — access all SharePoint and OneDrive files
• Calendars.Read / Calendars.ReadWrite — access all calendar events
• User.Read.All — read all user profiles in the directory
• ChannelMessage.Read.All — read all Teams messages
• offline_access — maintain access even when the user is not active

Step 5: Identify who has authorised each application

For each application, select Users and Groups to see which users have authorised it. Cross-reference this against your active employee list — any grants from former employees should be treated as a priority for revocation.

Step 6: Revoke unsanctioned access

To revoke admin consent: in the application's Permissions page, select Revoke admin consent. This removes admin-level grants immediately.

To revoke user-level consent grants: navigate to the specific user in the admin centre, select Applications, find the application, and revoke consent. For bulk revocation across multiple users, PowerShell is more efficient:

Get-AzureADServicePrincipal and Remove-AzureADOAuth2PermissionGrantcmdlets can be used to revoke grants programmatically. The Microsoft documentation for these commands is available at learn.microsoft.com.

Step 7: Configure admin consent policy

Under Enterprise Applications → Consent and Permissions → User Consent Settings, configure how users can authorise third-party apps in future. The options:

• Do not allow user consent — all app authorisations require admin approval. Highest control, most friction for users.
• Allow user consent for apps from verified publishers with selected permissions— a middle ground that permits low-risk apps from reputable publishers without admin review.
• Allow user consent for all apps — current default in most tenants. Not recommended for businesses with active governance programmes.

Pair your consent policy with an admin consent workflow (under Enterprise Applications → Admin Consent Requests) so employees can request approval for tools they need, rather than finding ways around the restriction.

How Governably automates this

Governably connects to your Microsoft 365 tenant via Microsoft Graph and automatically pulls your complete enterprise application consent list. It cross-references each application against a database of known AI tools and risk classifications, flags high-risk scopes, and surfaces remediation tasks in priority order. You get a clear action list without navigating the Entra admin centre manually.

Frequently asked questions

Where do I find OAuth app permissions in Microsoft 365?

Navigate to the Microsoft Entra admin centre at entra.microsoft.com, then Azure Active Directory → Enterprise Applications → All Applications. Filter for user-consented apps to see what employees have authorised with their Microsoft accounts.

What are high-risk permissions in Microsoft 365?

The highest-risk Microsoft Graph permissions grant access to mail (Mail.Read, Mail.ReadWrite), files (Files.Read.All), calendar (Calendars.Read), user profiles (User.Read.All), and Teams messages (ChannelMessage.Read.All). Applications with these permissions can access sensitive business data across your M365 environment.

How do I prevent users from consenting to third-party apps in Microsoft 365?

In the Entra admin centre under Enterprise Applications → Consent and Permissions → User Consent Settings, restrict user consent to require admin approval. Pair this with an admin consent workflow so employees can request access to tools without self-authorising.

How do I revoke an OAuth grant in Microsoft 365?

In the Entra admin centre, find the application under Enterprise Applications, select Permissions, and use "Revoke admin consent." For user-level grants, navigate to the specific user's Applications tab and revoke consent. PowerShell cmdlets are available for bulk revocation.