What is an OAuth app in Microsoft 365?
An OAuth app is a third-party (or internal) application that’s been granted permission to access Microsoft 365 data and services through Microsoft Entra ID (Azure AD). Instead of sharing a password, the user (or an admin) approves access, and Microsoft issues the app tokens that allow it to act within the approved permissions—such as reading mail, accessing files, or managing calendars—depending on what was granted.

How long does OAuth access last?
OAuth access can persist until it’s revoked.
While individual access tokens expire relatively quickly, most OAuth integrations maintain long-term access using refresh tokens and ongoing consent. If an app has been granted consent (especially tenant-wide admin consent), it may continue to regain access over time without prompting the user again—unless policies change or the consent is removed.

What permissions are considered high risk?
High-risk permissions are the ones that enable broad data access, privilege escalation, or actions that are hard to detect quickly.

Common examples include:

• Mail access: read mail, send mail, read/write mailboxes

• File access: read/write files in OneDrive or SharePoint

• Directory access: read all users, groups, roles, or directory data

• Offline access: permissions that allow persistent access without the user actively signed in

• Privilege-related scopes: anything that allows managing users, apps, roles, or policies (often admin-consent required)
  
  

In general: the more “read all” / “read-write” / “manage” language you see, the higher the risk.

How do I revoke OAuth access?
You can revoke OAuth access in a few ways depending on what you’re trying to remove:

• Remove the user’s consent (stops that user’s granted access to the app)

• Remove admin consent / tenant-wide consent (stops the app across the organization)

• Disable or remove the enterprise application / service principal (cuts access at the tenant level)

• Block sign-in for the app (prevents the integration from authenticating)

• Invalidate refresh tokens / revoke sessions (forces re-auth and can interrupt persistent access)

Most organizations use a combination: remove consent + disable the enterprise app + review permissions to ensure access is fully cut.

How do I prevent risky OAuth apps in the future?
The best prevention strategy is a mix of policy, approval workflow, and continuous monitoring:

• Restrict user consent so users can’t approve high-risk permissions on their own

• Require admin approval for apps requesting sensitive scopes

• Use verified publisher / trusted app criteria as a baseline requirement

• Review and reduce permissions (least privilege) before approving access

• Run regular reviews of newly approved apps and permission changes

• Monitor continuously for new OAuth grants, unusual permissions, and risky apps that appear over time

The goal is simple: approved apps stay approved for a reason—and everything else gets flagged early.