The pattern: monitor monthly via OAuth Usage, revoke per-user on offboarding, revoke per-app on incidents, audit quarterly for stale authorizations. The discipline turns a silent accumulation into a controlled inventory.
- Review OAuth Usage monthly
Setup, Apps, Connected Apps, Connected Apps OAuth Usage. Note new apps and apps with unexpected user counts. Investigate anomalies.
- Build OauthToken stale-authorization report
Report on OauthToken filtering for LastUsedDate over 90 days ago. The report is the prioritized list for the quarterly deeper audit.
- Add Connected User revocation to offboarding checklist
Every leaver gets their authorizations explicitly revoked. Query OauthToken WHERE UserId = leaver, revoke each row.
- Document expected Connected App inventory
Per app: owner team, business purpose, expected user population. Apps outside the inventory need investigation.
- Configure refresh token lifetime policy per Connected App
Shorter lifetimes reduce the silent-persistence risk at the cost of more frequent re-prompts. Tune per app sensitivity.
- Train users on revoking authorizations they no longer need
Personal Settings, OAuth Connected Apps. Users who try a tool and abandon it should revoke; few do without training.
- Run the quarterly audit on the stale-authorization report
Review each stale authorization, decide whether to revoke, document. The audit produces the compliance evidence regulators want.
Removes one user's authorization for one app. Right tool for offboarding.
Revokes every user's authorization for one app at once. Right tool for compromised or ended apps.
Per-Connected-App policy that bounds how long an authorization persists. Tune for sensitivity.
Monthly OAuth Usage review plus quarterly stale-authorization audit. The combination catches both new anomalies and accumulated drift.
Documented list of expected apps with owner and purpose. The baseline against which the OAuth Usage view is reviewed.
- User deactivation does not revoke Connected User authorizations. Manual revocation as part of offboarding is the only reliable cleanup.
- Refresh tokens persist indefinitely by default. Connected App refresh token policy bounds the persistence; without policy, authorizations can live for years.
- Stale authorizations accumulate silently. Quarterly audit on the OauthToken report is the only reliable surfacing mechanism.
- Per-app block is immediate and broad. Confirm scope before clicking on production-critical apps.
- Scopes granted by the user may be broader than the third-party app actually needs. Audit Connected App scopes during onboarding to confirm least-privilege.