Since mid-2025, security headlines have echoed a single pattern: "the attacker didn't break SSO; the user clicked once and gave a harmless-looking app the keys." After Microsoft published a series of advisories on OAuth-consent attacks, SSPM (SaaS Security Posture Management) climbed rapidly on the Gartner Hype Cycle. The reason fits in one sentence: every SaaS tenant is full of OAuth apps that users approved on their own.
This piece explains why OAuth permission inventory has become non-negotiable for any modern SSPM tool, what "high-risk" scope classification looks like, and the weekly review list you should already be running.
Why OAuth consent is so critical
Microsoft 365, Google Workspace, Salesforce, Slack — on every modern SaaS platform, users can grant access to third-party apps straight from the browser. A typical "Sign in with Google" flow asks for things like:
- Access to your email
- Manage your calendar
- Read/write your Drive files
- List your contacts
These permissions persist after the user's session ends. The token is usually long-lived. The attack scenario is simple: the user grants permission to a harmless-looking AI summariser, which then quietly copies the entire Drive in the background. The SSO log is clean, no alert fires — because the action happened on behalf of the user.
Scope tiers: which permission is actually dangerous
Not all OAuth permissions are equal. Industry practice splits them into three categories:
High-risk (admin / write)
Mail.Send,Mail.ReadWrite— send and read mail on the user's behalfFiles.ReadWrite.All— read and write all filesDirectory.ReadWrite.All— modify identity dataSites.FullControl.All— full control over SharePoint
Medium-risk (broad read)
Files.Read.All— read all filesCalendars.Read— read calendarContacts.Read— read contacts
Low-risk (identity / profile)
User.Read,openid,profile— identity only
The point is: leaving an app a user gave a high-risk scope to unreviewed for weeks or months is leaving a door open. If an attacker compromises that single app, they inherit every one of those entitlements.
oauth2PermissionGrants endpoint, classify scopes automatically as high / medium / low risk, and surface them on the risks page. A weekly review of unknown apps with high-risk scopes is a small habit with outsized impact.The weekly OAuth review list
The minimum list an SSPM team should look at once a week:
- Newly added apps. Third-party apps that registered in the tenant since last week.
- Apps holding high-risk scopes. Anything with
ReadWrite.AllorFullControl. - Single-user consents with tenant-wide impact.
- Unknown publishers. Anything not from Microsoft / Google / Atlassian / a known vendor — ad-hoc developer-name publishers especially.
- Stale / unused consents. Apps that haven't shown activity for 60+ days but still hold an active grant.
What this monitoring is NOT for
OAuth permission inventory is not a content-inspection tool. CenseCloud doesn't read application content or touch user data; it only answers "which app, which scope, granted by which user, when". As we say on the about page — we're not in the data path.
Conclusion: the quietest open door
OAuth permissions are the quietest security gap right now: the SSO log is clean, the AD account is normal, the app may even carry an "approved" badge. A behaviour that isn't an attack vector takes weeks to discover when it becomes one.
The fix is not a one-time setup, it's a continuous review rhythm. See the third-party risk solution or the platform architecture for how OAuth inventory works inside CenseCloud.