Skip to main content

How to Review and Clean Up OAuth App Access in Google Workspace and Microsoft 365

Most school districts have dozens, sometimes hundreds, of third-party apps connected to staff and student accounts.

Some are intentional.

Many are forgotten.

A few are risky.


These apps often have access to:

  • email
  • files
  • contacts
  • calendars
  • even full account data


And the reality is, most districts rarely review them.


This is one of the easiest ways to reduce risk without buying a single new tool.


Why This Matters


OAuth-connected apps don’t need passwords; they rely on permissions granted by users.


That means:

  • A teacher clicks “Allow” once
  • The app may keep access indefinitely
  • IT may never know it exists

Over time, this creates:

  • hidden data exposure
  • unnecessary access to student information
  • increased risk if an app is compromised

Cleaning this up is quick, impactful, and often overdue.


Step 1: Review OAuth Apps in Google Workspace


Navigate to:

Admin Console → Security → Access and Data Control → API Controls → App Access Control


What You’ll See:

  • A list of third-party apps connected to your domain
  • Permission levels (scopes)
  • Number of users per app


What to Look For:


Unknown Apps

If you don’t recognize it, investigate it.


High-Risk Permissions

Apps requesting access to:

  • Gmail
  • Google Drive
  • Classroom
  • Directory data

These carry higher risk.


High User Counts

Apps used by many users may indicate:

  • unofficial district-wide adoption
  • or potential shadow IT


What You Can Do:

  • Block risky or unapproved apps
  • Mark apps as trusted if they are approved
  • Restrict access levels for sensitive data

Tip: Start with the highest-risk apps, don’t try to fix everything at once.


Step 2: Review OAuth Apps in Microsoft 365 (Entra)


Navigate to:

Microsoft Entra Admin Center → Enterprise Applications


Then:

  • Select “All Applications”
  • Filter or search for user-consented apps


What to Review:

Click into each app and check:


Permissions (API Permissions)

Does it have access to:

  • Mail
  • Files
  • User profile data
  • Directory data


User Assignment

  • Who is using it?
  • Is it still needed?


App Name & Publisher

  • Does it look legitimate?
  • Is it verified?


What to Look For:


Old or Unused Apps

No recent sign-ins or activity.


Broad Permissions

Apps with “Read/Write All” or full mailbox access.


Suspicious Naming

Generic or unfamiliar app names.


What You Can Do:

  • Disable or remove unused apps
  • Revoke permissions
  • Restrict user consent settings (optional but recommended)


Step 3: Decide What to Keep, Remove, or Control

As you review apps, categorize them:


Keep

  • Approved tools
  • Known vendors
  • Required for instruction


Review Further

  • Apps with unclear purpose
  • Tools storing sensitive data
  • Anything widely used but undocumented


Remove

  • Unused apps
  • Duplicate tools
  • High-risk or unknown apps


Step 4: Reduce Future Risk

Once you’ve cleaned things up, prevent the same problem from growing again.


In Google Workspace:

  • Configure app access policies
  • Restrict high-risk scopes
  • Monitor new app connections regularly


In Microsoft Entra:

  • Review User Consent Settings
  • Consider limiting user consent to low-risk apps
  • Require admin approval for higher-risk permissions


Across Both:

  • Establish a simple app approval process
  • Educate staff on why app access matters


Step 5: Make This a Routine

This is not a one-time task.


Recommended cadence:

  • Quarterly review (ideal)
  • At minimum, twice per year


Even a quick 20–30 minute review can uncover:

  • forgotten apps
  • unnecessary access
  • hidden risk
Labels:

Comments

Post a Comment

Popular posts from this blog

Why Securing Things “Backwards” Is So Difficult in K–12 IT

Many K–12 districts are facing a difficult reality: after years of convenience-first technology use, the time has come to adopt a more secure, structured approach. Cyber insurance requirements are tightening. State and federal regulations are growing. Threats are increasing. And school systems are expected to modernize their security posture quickly and without disrupting learning. But strengthening security in a district that has operated with wide-open access for years isn’t just a technical challenge; it’s a cultural renovation. Transitioning from “anything goes” to “secured by design” is one of the hardest shifts for schools to make. Not because people don’t care about security, but because securing things backwards means undoing years of habits, expectations, and legacy decisions. Here’s why it’s so difficult , and how districts can make the transition without breaking what’s working. Why Securing Things Backwards Is Hard 1. You’re Taking Away What People Are Used To When classr...
Post a Comment
Read more

Incident Response for Schools: Why Playbooks Matter

When a cybersecurity incident occurs, such as a phishing email, ransomware outbreak, or accidental exposure of student data, the first few minutes are crucial. Yet, many school districts lack a clear, step-by-step plan for responding. The result? Confusion, delayed decisions, extended downtime, and even compliance failures. That’s why every school should have Incident Response (IR) playbooks : simple, one-page guides that outline who to call, what to do, and how to contain and recover from common incidents. Why Playbooks Are Critical in Schools Clarity Under Pressure: When panic sets in, playbooks provide structure. Staff know exactly what steps to take. Consistency: Every incident is handled the same way, reducing the risk of mistakes. Compliance: For Kansas schools, ITEC 7230a requires incident response planning and documentation. Playbooks help districts meet that standard. Framework Alignment: The NIST Cybersecurity Framework (CSF) 2.0 emphasizes Respond as o...
Post a Comment
Read more

Vendor and Third-Party Risk Management in K–12: Protecting Student Data Beyond Your Walls

Modern school districts rely on hundreds of third-party applications, ranging from learning management systems and browser extensions to assessment platforms and parent communication tools. Each of these vendors connects to your network, accesses your data, or processes sensitive student information. Every one of them represents potential risk. While internal defenses like patching, MFA, and backups are essential, vendor risk management ensures your district is protected from vulnerabilities that originate outside your network . Why Vendor Risk Management Matters for Schools School technology ecosystems have expanded rapidly over the last decade. What used to be a handful of software systems is now a web of cloud tools, integrations, and data sharing agreements. Without strong oversight, this complexity creates real-world risk: Data Breaches via EdTech Vendors: Many school breaches occur not from internal attacks, but through compromised third-party systems. Privacy Compliance Exp...
Post a Comment
Read more