The pattern: monthly review of the OAuth Usage page, monthly investigation of anomalies, quarterly audit aligned with offboarding records. The cost is a few hours per month; the security and compliance benefit compounds over years.
- Open the OAuth Usage page monthly
Setup, Apps, Connected Apps, Connected Apps OAuth Usage. Pull the list. Note total app count and any new apps since last review.
- Investigate new apps appearing since last review
For each new app, confirm: who installed or authorized it, what integration does it serve, who owns it. Apps from unknown sources are shadow-IT signals.
- Flag apps with high user count but low usage
Potentially abandoned. Confirm the integration is still needed; deauthorize at the app or per-user level if not.
- Flag apps with low user count but high usage
Single integration with broad access; the user typically belongs to a service account. Confirm the service account is still needed.
- Cross-check against the offboarding list
For users deactivated in the past 90 days, check their authorizations on the OAuth Usage page. Deauthorize any remaining; offboarding leaks are the most common compliance gap.
- Document the active inventory
List of expected Connected Apps with owner and purpose. Apps not on the list need investigation; the inventory is the change-control baseline.
- Schedule a quarterly deeper audit
Quarterly, build a report on OauthToken for stale authorizations (no use in 90 days). The report is the prioritized list for the deeper review.
Block revokes all authorizations for an app; per-user revoke affects only one user. Pick based on scope.
Monthly review for most orgs; weekly for high-security or high-volume integrations.
The team-maintained registry of expected Connected Apps with owner and purpose.
Report on OauthToken filtering for no use in 90 days; the prioritized list for deeper review.
Whether user deactivation triggers automatic deauthorization. Manual cross-check is the fallback.
- Refresh tokens persist until revoked. Deactivating a user does not automatically revoke their OAuth authorizations; manual cleanup is required.
- Block is immediate and broad. It revokes for every user; coordinate before clicking on any production-relevant Connected App.
- Apps from unknown sources are often shadow IT. Investigate the source before deauthorizing; the legitimate path may exist.
- High user count and low usage often signals an abandoned integration. Deauthorize if confirmed unused; the apps clutter the visibility surface.
- Quarterly audit catches gaps the monthly review misses. The OauthToken report surfaces stale authorizations the page summary does not highlight.