Answer

How do I track OAuth grants across Google Workspace and Microsoft 365?

Short answer

Pull the OAuth token list from Google Admin (Security → API controls) and Microsoft Entra (Enterprise applications) monthly, then diff against a baseline to flag new grants.

Details

Every third-party app a user connects with 'Sign in with Google' or 'Sign in with Microsoft' leaves a durable token. That list is your ground truth for shadow SaaS.

Review grants monthly for tier-1 identity providers. Revoke any grant with `spreadsheets.write` or `mail.send` scope from an unrecognized vendor.

Automate this with SeatMap.AI

The audit path above works. It also takes hours per month per tool. SeatMap.AI runs it on a schedule, stages the reclaim actions for review, and shows you the annualized savings in real dollars.

Related answers