How do I check which third-party apps have access to Microsoft 365?

To check which third-party apps have access to Microsoft 365, you need to review OAuth permissions, enterprise app registrations, token activity, and admin consent grants inside Entra ID. These views show every external app that users or admins have authorized, including applications with access to email, files, calendars, contacts, or identity data.

Many teams use platforms like FrontierZero to consolidate these permissions across all users and detect apps requesting excessive or risky access.

Why Third-Party Access Is Hard to Track in Microsoft 365

Microsoft 365 uses Entra ID as its identity layer, and while it logs app authorizations, it doesn’t always surface them in a single, easy-to-read inventory. Shadow IT, delegated permissions, and long-lived OAuth tokens all contribute to blind spots.

1. Users can grant OAuth access without admin approval

Most third-party apps allow user-consent access, meaning employees can approve permissions such as:

reading email
accessing OneDrive
modifying calendars
accessing Teams messages

These requests are logged but not automatically flagged as risky.

2. Enterprise applications store permissions separately

Microsoft 365 uses:

Enterprise Apps (service principals)
App Registrations (client applications)
Delegated permissions
Application permissions

Each layer may hold different access rights.

This fragmentation makes it easy to miss risky apps.

3. OAuth tokens stay active even after users are disabled

OAuth tokens do not automatically expire when:

the user leaves the company
the account is suspended
the password is reset
MFA is changed

This means an authorized app can still access corporate data until its token is revoked.

Tools like FrontierZero identify these long-lived or orphaned tokens automatically.

How to Manually Check Which Third-Party Apps Have Access (Step-by-Step)

1. Review Enterprise Applications in Entra ID

Go to:
Entra ID → Enterprise Applications

Review:

all apps connected via OAuth
permissions each app has
users who consented
whether admin consent was required
risky or broad scopes

FrontierZero aggregates these permissions across the entire tenant for faster review.

Navigate to:
Entra ID → Users → (Select User) → Applications → Apps and Permissions

Check:

apps each user has approved
delegated scopes
unusual or excessive permissions
apps used by only one employee

Most shadow IT originates here.

3. Review App Registrations and Service Principals

Navigate to:
Entra ID → App Registrations
and
Entra ID → Enterprise Applications → Permissions

Look for:

apps with application-level permissions
service accounts with high privileges
apps allowed tenant-wide
apps with offline access tokens

FrontierZero helps teams identify high-risk app registrations and map which identities they affect.

How do I know if a third-party app is high-risk?

Check whether the app requests:

mailbox read
OneDrive or SharePoint read/write
files.read.all or files.readwrite.all
offline access
full directory access

FrontierZero automatically flags apps with excessive or suspicious scopes.

Can employees add apps even if SSO is enforced?

Yes. Even in tightly controlled Microsoft environments, users can grant OAuth permissions to apps that don’t rely on SSO. This is why continuous monitoring is essential.

Why do some apps remain even after disabling a user?

Because OAuth tokens remain valid until explicitly revoked. Disabling a user in Entra does not remove application access. FrontierZero detects tokens tied to disabled or offboarded employees.

FAQ

Is checking Enterprise Applications enough?

No. You also need to review user-level OAuth grants and app registrations.

Do Microsoft 365 and Entra ID automatically block risky apps?

No. They require admins to configure consent policies and restrictions manually.

Yes — if user-consent is enabled, employees can grant permissions on their own.