Answer
How do I track OAuth grants across Google Workspace and Microsoft 365?
Short answer
Pull the OAuth token list from Google Admin (Security → API controls) and Microsoft Entra (Enterprise applications) monthly, then diff against a baseline to flag new grants.
Details
Every third-party app a user connects with 'Sign in with Google' or 'Sign in with Microsoft' leaves a durable token. That list is your ground truth for shadow SaaS.
Review grants monthly for tier-1 identity providers. Revoke any grant with `spreadsheets.write` or `mail.send` scope from an unrecognized vendor.
Automate this with SeatMap.AI
The audit path above works. It also takes hours per month per tool. SeatMap.AI runs it on a schedule, stages the reclaim actions for review, and shows you the annualized savings in real dollars.