I've been checking our Microsoft 365 environment and found some alarming configurations. There are multiple OAuth apps I've never heard of that have full mailbox read and write permissions. One app even has access to every single mailbox in our tenant, and I can't tell how long it's been connected. Furthermore, I've discovered several forwarding rules directed to external domains, service accounts without multi-factor authentication, and SMTP authentication still enabled in various spots. None of these issues were highlighted in our quarterly reviews. Since our email gateway doesn't cover backend configurations and manually checking everything isn't feasible, I'm particularly concerned about OAuth apps because users often connect productivity tools without fully understanding the permissions they're granting. Is there any tooling available that can continuously monitor email security posture for risky delegations and misconfigurations?
7 Answers
If you're using Microsoft 365, I suggest getting started with Microsoft Defender for Office 365 along with Microsoft Defender for Cloud Apps. The latter provides OAuth app governance and can alert/block high-risk apps. You should also review Microsoft Entra ID and its permissions settings, enabling admin consent workflows and restricting user consent to certain verified publishers only.
Most email gateways can’t track OAuth app activities because they work with legitimate API credentials. Traditional security measures focus too much on email threats but ignore these backend risks. Tools like Abnormal can continuously monitor app behavior and permissions, flagging any unusual activities.
One way to tackle this is to limit the ability of end users to sign in to any app without proper authorization. You could implement a policy that only allows app requests that go through an admin review process.
I've taken the route of blocking app registrations, allowing only Microsoft apps with very limited permissions. If there's a need for anything else, admin consent must be granted. This became especially important during the AI rush when people wanted to share company data with random tools. After addressing one complaint to management about a user's inappropriate app request, I've seen a sharp decline in app registrations, so it seems to be working!
You're right about the gaps in monitoring. OAuth apps can gain upgraded permissions after their initial approval. Since users connect tools they need for work and end up approving permissions without thinking, it's crucial to continuously monitor these permissions and API call patterns. Traditional manual audits won't cut it anymore. It's all about balancing the need for security with allowing employees to use the tools that boost their productivity.
Thanks for the insight!
Yeah, quarterly reviews for OAuth apps just don't work. Permissions can change frequently, and no one really keeps track of what's been approved six months back.
Check out Microsoft Defender for Cloud Apps; it has OAuth monitoring features built in. It's not perfect, but it's a decent starting point. Just remember to set up alerts specifically for apps that request 'mail.read' or 'mail.send' permissions.

Totally agree with this approach!