Performing OAuth Scope Minimization Review

When to Use

• Annual or quarterly review of third-party application OAuth permissions
• After a security incident involving compromised OAuth tokens or unauthorized data access
• Compliance audit requiring documentation of third-party data access (GDPR Article 28, SOC 2)
• Discovery of shadow IT applications accessing organizational data via OAuth grants
• Migration or consolidation of SaaS applications requiring permission cleanup
• Implementing least-privilege principle for API integrations

Do not use for reviewing first-party application permissions within the same trust boundary; OAuth scope minimization focuses on third-party and cross-boundary consent grants.

Prerequisites

• Admin access to identity providers (Microsoft Entra ID, Okta, Google Workspace)
• Microsoft Graph API permissions: Application.Read.All, OAuth2PermissionGrant.ReadWrite.All
• Inventory of approved third-party integrations from procurement or IT governance
• OAuth scope risk classification framework