Back to GSO Recommendations

Apps with Risky Permissions: OAuth Data Access & Persistence Risk

Why this risk matters

Every OAuth application connected to your Microsoft 365 tenant has been granted specific permissions to access data or perform actions on behalf of users or the organisation. When those permissions are broad, sensitive, or poorly understood, they represent a persistent attack surface that exists independently of user credentials or MFA.

Overe flags applications holding high-risk Graph API permissions — including the ability to read all mail, access all files, query directory data, or send email as any user. These permissions can be delegated (requiring a signed-in user) or application-level (operating without any user present). Application-level permissions carry the higher risk, as they can be exercised silently and at scale.

Apps with risky permissions are particularly dangerous because they often persist long after their original purpose is forgotten. A tool added during a project, a vendor integration that was never removed, or an app consented to by a user during a phishing attack can all hold active permissions indefinitely.

What happens if this is abused

  • Attacker compromises an app with Mail.Read.All and reads every email across the tenant without signing in as any user
  • Application credentials (client secret or certificate) stolen and used to access data with no user interaction required
  • An app with Files.ReadWrite.All used to silently exfiltrate OneDrive and SharePoint content
  • An app with Directory.ReadWrite.All used to enumerate users, groups, and roles — and to modify them
  • Phishing attack tricks a user into consenting to a broad-permission app, giving the attacker persistent access even after a password reset
  • Legacy or abandoned apps with live credentials used as re-entry points after a primary compromise is remediated

When this is expected or acceptable

Many legitimate business applications require broad Graph permissions to function correctly. HR integrations, backup tools, monitoring platforms, and SIEM connectors commonly hold extensive read access. The question is not whether the permissions are broad — it is whether the application is known, documented, and still in use.

An app with high-risk permissions is acceptable when it has a named owner, a documented business purpose, active usage, and credentials that are managed and rotated appropriately. An app with the same permissions but no clear owner, no recent sign-in activity, or unmanaged credentials is a different matter entirely.

Checks to perform before taking action

Before modifying or removing any application's permissions:

  • Identify the application's publisher and confirm whether it is a Microsoft first-party app, a verified third-party, or an unverified or internal app
  • Confirm whether the app has delegated permissions, application permissions, or both — application permissions carry higher risk
  • Check when the app last made API calls and whether it is still in active use
  • Identify who consented to the app — was it an admin granting tenant-wide consent, or individual users?
  • Review the app's credentials: does it have active client secrets or certificates, and when do they expire?
  • Check whether the app has any corresponding service principal with Entra ID role assignments
  • Confirm with a named business owner whether the app is still required and the permissions are justified

Safe remediation steps

  1. Use Overe to review all apps with high-risk permissions across the tenant, prioritising application-level permissions over delegated
  2. For apps that are no longer in use, revoke permissions and disable or delete the app registration
  3. For active apps with overly broad permissions, work with the vendor or developer to reduce scope to the minimum required
  4. For apps with unmanaged or long-lived credentials, rotate or revoke client secrets — expired credentials can still be re-issued by an attacker with access to the app registration
  5. Review and restrict user consent settings to prevent users from granting high-risk permissions without admin review
  6. For any app where ownership is unclear, investigate before taking action — removal of a live integration can cause service disruption
  7. Document all high-risk app permissions with a named owner and a review date

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Review permissions granted to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions

Microsoft: Restrict user consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent

Microsoft: Investigate risky OAuth apps - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth

Related risks and follow-on checks

  • Apps with admin roles
  • Dormant apps
  • OAuth consent after suspicious sign-in activity
  • User consent allowed for risky apps
TBD CTA