How do I see which third-party apps have access to our Microsoft 365 tenant?

A global admin can review connected apps in the Microsoft Entra admin center under Enterprise Applications and App Registrations. Each entry shows what permissions were granted and when the token was last used. Non-admins can review their own connected apps at myapps.microsoft.com.

Does revoking an OAuth token break anything important?

Revoking access disconnects the integration, so any automated sync or workflow tied to that app will stop. Before revoking, confirm whether the app is still in active use. If it is, re-consent with appropriate admin approval controls in place.

Are browser extensions a real threat compared to full app integrations?

Yes. Extensions installed from the Chrome or Edge store can request broad permissions to read and modify browser data, including pages that display your Microsoft 365 sessions. A malicious or compromised extension does not need a formal OAuth grant to capture data.

What does a cyber insurer or auditor actually look for here?

Insurers and auditors ask whether you maintain an inventory of third-party integrations, whether admin consent is required before connections are approved, and whether you have a process for removing access when a vendor relationship ends or an employee departs.

Is admin consent the same as user consent in Microsoft 365?

No. User consent allows any employee to connect an app to their own account without IT review. Admin consent requires a global or application administrator to approve the permissions first, giving the organization control over what access is granted tenant-wide.

← Back to Insights

Compliance

The App You Connected and Forgot: Third-Party Risk for Small Businesses

Every app your team connected to Microsoft 365 — and forgot — still has access to your email, files, and contacts. Here is what that means for your compliance posture and what to do about it.

Elevate Solutions

June 27, 2026 · 4 min read

Somewhere in your Microsoft 365 tenant, an app you connected two years ago still has access to your inbox. The employee who set it up has since left. The vendor trial expired. Nobody revoked anything. The token still works.

This is not a hypothetical. It is the standard condition of most small-business Microsoft 365 environments, and it creates a category of exposure that regulators, cyber insurers, and auditors have begun examining closely.

The short version: Every third-party app connected to Microsoft 365 via OAuth receives a standing credential — not a one-time handshake — that persists until someone explicitly revokes it. Forgotten integrations with standing access to email, files, and contacts represent unreviewed vendor relationships with no expiration date.

How the access gets created

When a user clicks "Allow" on a permission screen — to connect an e-signature tool, sync a CRM, enable a marketing platform, or install a productivity add-in — Microsoft issues that application an OAuth token. That token grants the app the permissions the user approved: read email, access files, view contacts, send on your behalf.

The token does not expire automatically. It does not disappear when the vendor relationship ends. It does not get reviewed during your annual audit unless you build a process that requires it.

In a tenant without admin consent controls, any employee can complete this process without IT involvement. That means your accounting assistant, your receptionist, and the summer intern who helped set up a newsletter tool may each have independently extended access to your organization's data.

What category of apps creates the most exposure

The integrations that tend to be forgotten fastest are also the ones that were granted the broadest permissions:

Accounting and billing tools that sync invoices or contacts often request read/write access to calendars and email.
E-signature platforms connected via Outlook add-in typically request access to compose and send email on the user's behalf.
Marketing and CRM platforms regularly request full contact list access and, in some configurations, the ability to read inbox threads to log communications.
Browser extensions — particularly those claiming to improve productivity or password management — can request permissions that capture data from any page rendered in the browser, including pages displaying your Microsoft 365 session.
File-sharing and collaboration tools that were used for a single project and never disconnected retain access to SharePoint and OneDrive.

Why this is a compliance problem, not just an IT problem

If your organization operates under HIPAA, handles client funds, stores personally identifiable information, or holds data subject to state privacy law, the apps connected to your tenant are part of your data environment. A breach at any one of those vendors — or a malicious or negligently coded app — can result in unauthorized access to data you are legally responsible for protecting.

Cyber insurers have added explicit questions about third-party integrations and OAuth consent controls to their renewal questionnaires. Auditors conducting SOC 2 or HIPAA assessments treat unreviewed vendor access as a finding. The risk is documented and the scrutiny is increasing.

The compliance exposure runs in both directions. If a vendor is breached and your token was active, you may have a reportable incident even though your own systems were never directly compromised. The data left through a door you left open.

What a basic remediation looks like

You do not need a six-month project. You need three actions completed in sequence:

Audit. A global admin reviews all enterprise applications and app registrations in the Microsoft Entra admin center. The report shows every connected app, what permissions it holds, and when the token was last used. Apps with no recent activity are candidates for immediate revocation.
Revoke. Unused, unrecognized, or vendor-trial apps should have their access removed. Revoking an OAuth token is immediate and reversible — if a business-critical integration is accidentally removed, it can be re-authorized with appropriate controls in place.
Control going forward. Microsoft 365 allows administrators to require admin consent before any user can connect a new third-party app. Enabling this setting stops the problem from recurring without IT review.

The question to answer before your next audit

Can you produce a current list of every third-party application with standing access to your Microsoft 365 environment, along with the permissions each one holds? If the answer is no, that gap will be visible to the next auditor, insurer, or incident responder who looks.

The apps you connected and forgot are not dormant. They are active entries in your risk profile. Treating them as such is a straightforward step with no downside.

Elevate Solutions helps regulated businesses audit and manage third-party application access in Microsoft 365. Contact us to schedule an access review for your environment.

Elevate Solutions

Security & IT Advisory Team

Elevate Solutions' security and IT advisory team delivers managed cybersecurity (MDR/MXDR), managed IT, and compliance guidance (HIPAA, SOC 2, PCI DSS) for regulated mid-market firms across Los Angeles.

Reviewed by David Faramarzi · Founder, Elevate Solutions

Next story What "Fully Managed IT" Should Actually Include for a 10-Person Firm June 27, 2026 · 5 min read

Compliance

What your clients' contracts already require you to have

If you've signed a client services agreement or vendor contract recently, you've likely already agreed to security requirements you haven't implemented. Here's what those clauses typically say—and how to meet them on a small-business setup.

June 26, 2026 · 5 min

Compliance

Small business compliance checklist: the minimum baseline your firm needs

If you manage a small firm in a regulated industry, you need a compliance floor — not a full security program. This checklist covers exactly what that floor looks like and how much of it Business Premium already handles.

June 26, 2026 · 4 min

Playbooks

When the Power, Internet, or Cloud Goes Down: A One-Page Continuity Plan for Small Teams

Power failures, internet outages, and cloud service disruptions share one trait: they happen without warning. A single printed page, filled out in advance and posted where everyone can find it, is the difference between two minutes of adjustment and a half-day of lost productivity.

June 27, 2026 · 5 min