OAuth apps
This is one of MDCA's key features and can be very useful if your Entra ID environment has been around for a while.
If you are not seeing any applications here, be sure you have Microsoft 365 connected with the Microsoft Entra ID Apps option enabled.
Tip
It would be a good idea to review what users can consent to for enterprise applications in Entra ID. Microsoft has some documentation here. It is generally recommended to restrict what apps a user can consent to and set up the admin consent workflow, this allows users to request approval for other applications.
Benefits
Most of the information here is available within Entra ID under enterprise apps, but it's particularly useful from a security context. As a security analyst I would want to know what OAuth apps I have, who is using them, and what permissions do they have? From Entra ID this information is all available, but it requires multiple clicks and filtering is limited. From the OAuth app page you can quickly see who is using the app and what permissions it has.
While that data being quickly accessible is helpful, the big gain here is really the filters, if you filter down to apps with high permissions and low users you may find a malicious app in your environment.
Warning
I have on occasion seen some "low" level permissions that I felt were high severity permissions. In the future I hope to document those items as the permission severity is not customizable at this time.
App permission
I am working on populating this with permission levels and permissions worth investigating closer.
| Display name | Permission | Level | Provider |
|---|---|---|---|
| Access Dynamics AX custom Service | TBD | TBD | Microsoft |
| Access Dynamics AX data | TBD | TBD | Microsoft |
| Access Dynamics AX online | TBD | TBD | Microsoft |
| Access Microsoft Flow | TBD | TBD | Microsoft |
| Access mailbox via Exchange Activesync | TBD | TBD | Microsoft |
| Access mailboxes as the signed-in user | TBD | TBD | Microsoft |
| Access mailboxes via Exchange Web Services | TBD | TBD | Microsoft |
| Access the directory as the signed-in user | TBD | TBD | Microsoft |
| Access to mailboxes via IMAP protocol | TBD | TBD | Microsoft |
| Access to mailboxes via POP protocol | TBD | TBD | Microsoft |
| Access to work or school directory | TBD | TBD | Microsoft |
| Access your data anytime | TBD | TBD | Microsoft |
| Add and remove members from channels | TBD | TBD | Microsoft |
| Add and remove members from teams | TBD | TBD | Microsoft |
| Add to your Google Photos library | photoslibrary.appendonly | TBD | |
| Administer your Cloud Bigtable clusters | bigtable.admin.cluster | TBD | |
| Administrate log data for your projects | logging.admin | TBD | |
| Allow Google to let the people in these circles know that you have signed into this app with Google: Your circles | TBD | TBD | |
| Allow full access to the service on behalf of the signed-in user | TBD | TBD | Microsoft |
| Allow the app to manage itself in teams | TBD | TBD | Microsoft |
| Allow this application to run when you are not present | TBD | TBD | |
| Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | TBD | TBD | Microsoft |
| Allows an app to read and write Bookings appointments on behalf of the signed-in user | TBD | TBD | Microsoft |
| Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete, or publish Bookings businesses. | TBD | TBD | Microsoft |
| Allows the add-on to temporarily create new drafts via Compose actions. Requires an access token. | TBD | TBD | |
| Allows the user to make UrlFetch requests. This is also required if the project makes use of the OAuth2 for Apps Script library. | TBD | TBD | |
| Appear in the Google Drive Open With menu and in the Google Drive Create menu | TBD | TBD | |
| Application-only OneNote notebook access | TBD | TBD | Microsoft |
| Apply machine learning models to reveal the structure and meaning of text | TBD | TBD | |
| Apply machine learning models to understand and label images | TBD | TBD | |
| Call Web API as the currently logged in user | TBD | TBD | Microsoft |
| Communicate with user devices | TBD | TBD | Microsoft |
| Consume tasks from your taskqueues | TBD | TBD | |
| Create a new Google Analytics account along with its default property and view | TBD | TBD | |
| Create and update Google Apps Script deployments | TBD | TBD | |
| Create and update Google Apps Script projects | TBD | TBD | |
| Create content on behalf of the user | TBD | TBD | Microsoft |
| Create messages in groups on your domain (for example, from emails sent to the API) | TBD | TBD | |
| Create on-demand Skype meetings | TBD | TBD | Microsoft |
| Create online meetings | TBD | TBD | Microsoft |
| Create pages in OneNote notebooks | TBD | TBD | Microsoft |
| Create see edit and permanently delete your Display & Video 360 entities and reports | TBD | TBD | |
| Create tabs in Microsoft Teams | TBD | TBD | Microsoft |
| Create, read, update and delete all user's tasks and plans | TBD | TBD | Microsoft |
| Create, read, update and delete user tasks and plans | TBD | TBD | Microsoft |
| Create, read, update and delete user tasks and plans shared by the user | TBD | TBD | Microsoft |
| Delete channels | TBD | TBD | Microsoft |
| Delete user's channel messages | TBD | TBD | Microsoft |
| Delete your Google Tag Manager containers | TBD | TBD | |
| Deliver and manage notifications for this app | TBD | TBD | Microsoft |
| Deliver and manage user's notifications | TBD | TBD | Microsoft |
| Edit Google Analytics management entities | TBD | TBD | |
| Edit or delete user contacts | TBD | TBD | Microsoft |
| Edit user's channel messages | TBD | TBD | Microsoft |
| Export user data | TBD | TBD | Microsoft |
| Full access to all mailboxes | TBD | TBD | Microsoft |
| Full account access | TBD | TBD | |
| Get device state and compliance information from Microsoft Intune | TBD | TBD | Microsoft |
| Grants access to the open message's content on a user interaction, such as when an add-on menu item is selected. | TBD | TBD | |
| Grants read and write permissions to a specific folder for your application | TBD | TBD | Microsoft |
| Grants temporary access to the open message's metadata (such as the subject, recipients, etc.). Does not allow reading of message content and requires an access token. | TBD | TBD | |
| Grants temporary access to the open message's metadata and content. Also grants access to the content of other messages in the open thread. Requires an access token. | TBD | TBD | |
| Guest user join services | TBD | TBD | Microsoft |
| Have full access to user files | TBD | TBD | Microsoft |
| Have full control of all site collections | TBD | TBD | Microsoft |
| Index and serve your organization's data with Cloud Search | TBD | TBD | |
| Initiate Skype conversations and join meetings | TBD | TBD | Microsoft |
| Insert data into Google BigQuery | TBD | TBD | |
| Insert mail into your mailbox | TBD | TBD | |
| Invite guest users to the organization | TBD | TBD | Microsoft |
| Join and Manage Skype Meetings | TBD | TBD | Microsoft |
| Know who you are on Google | TBD | TBD | |
| Know your basic profile info and list of people in your circles. | TBD | TBD | |
| Make telephone calls in your Hangouts and access telephone-related information | TBD | TBD | |
| Manage DoubleClick Digital Marketing conversions | TBD | TBD | |
| Manage Exchange configuration | TBD | TBD | Microsoft |
| Manage Google Analytics Account users by email address | TBD | TBD | |
| Manage Google Analytics user deletion requests | TBD | TBD | |
| Manage access reviews for group and app memberships | TBD | TBD | Microsoft |
| Manage active breakpoints in cloud debugger | TBD | TBD | |
| Manage all Teams apps | TBD | TBD | Microsoft |
| Manage all access reviews | TBD | TBD | Microsoft |
| Manage all bookings | TBD | TBD | Microsoft |
| Manage all delegated permission grants | TBD | TBD | Microsoft |
| Manage all programs | TBD | TBD | Microsoft |
| Manage and add to shared albums on your behalf | TBD | TBD | |
| Manage app permission grants and app role assignments | TBD | TBD | Microsoft |
| Manage app permission grants and app role assignments | TBD | TBD | Microsoft |
| Manage approvals | TBD | TBD | Microsoft |
| Manage cloud debugger | TBD | TBD | |
| Manage consent and permission grant policies | TBD | TBD | Microsoft |
| Manage corporate Android devices | TBD | TBD | |
| Manage course work and grades for students in the Google Classroom classes you teach and view the course work and grades for classes you administer | TBD | TBD | |
| Manage data-access permissions for users on your domain | TBD | TBD | |
| Manage delegated admin roles for your domain | TBD | TBD | |
| Manage drafts and send emails | TBD | TBD | |
| Manage education app settings | TBD | TBD | Microsoft |
| Manage email messages of users on your domain | TBD | TBD | |
| Manage hybrid identity service configuration | TBD | TBD | Microsoft |
| Manage installed Teams apps in chats | TBD | TBD | Microsoft |
Banning apps
If you find an app that's malicious, or you don't want used in your environment you can ban the app, this should be available on the far right-hand side of the app's row. If desired you can optionally send users using the app a message to notify them the app has been banned.
Note
Banning an app does not delete it from Entra ID, just prevents it from being used.
App governance
If you turn on app governance, which is generally recommended, the OAuth app page is no longer available, you will be redirected to app governance page. While the layout changes and some data is different you will gain additional data as well as some enhanced policies that are worth the upgrade.