The OAuth Grants Your Google Workspace Org Forgot About
Every 'Sign in with Google' creates a persistent token. Most orgs have never seen the full list. Here's how to audit connected apps and reduce your OAuth attack surface.
Every time one of your users clicks "Sign in with Google" on a third-party app, they create an OAuth grant. That grant gives the app a token — a persistent credential that can access their Workspace data according to whatever scopes they approved.
Slack, Notion, a browser extension installed two years ago, a SaaS tool the marketing team trialed and stopped using — all of these hold active tokens. The user forgot about them. IT doesn't know they exist. The token is still valid.
Multiply that by a hundred users, and you have an attack surface your org has never seen a complete picture of.
What the OAuth Grant Inventory Shows
The Connected Apps dashboard pulls every OAuth grant in the org from the Google Admin API and displays it as a sortable, filterable list.
Each entry shows: app name, client ID, how many users have authorized it, and whether any of those users granted sensitive scopes — scopes that can read or modify Gmail, Drive, contacts, or admin data.
Three filter tabs:
All — the complete list, sorted by user count by default. This is the inventory view.
Sensitive — apps where at least one user granted scopes that reach email, Drive, or admin data. A note-taking app with Gmail read access is a different risk profile than the same app without it. These warrant direct review or revocation in Google Admin Console.
High Adoption — apps authorized by 30% or more of the org. These are the shadow IT findings: tools that spread through the organization without going through an approval process. High adoption doesn't mean high risk, but it does mean high blast radius if the app is compromised.
From App to User
Clicking any app card opens a list of exactly which users have authorized it.
That's the investigation path. You see a "Sensitive" badge on an app you don't recognize. You click it. You see it's authorized by an executive, a finance lead, and two engineers. That changes what you do next — this isn't a low-stakes finding.
The inverse is equally useful. You're reviewing the High Adoption tab and see an app that 60% of your org has authorized. You want to understand who's using it before deciding whether to formalize it or revoke it. The user list is there immediately.
Why the "High Adoption" Tab Matters as Much as "Sensitive"
Sensitive scope apps are a security concern. High adoption apps are a governance concern.
A tool that 40% of your org uses without IT's knowledge is a procurement and compliance issue independent of its scope level. You need to know about it.
Orgs that run quarterly access reviews typically look for sensitive scopes and stop there. They miss the sprawl — the long tail of lightly-scoped but widely-used apps that represent your actual shadow IT footprint.
Both tabs are necessary. They answer different questions.
What IT Support Can Do Here
IT Support role users have full access to the Connected Apps dashboard. They can see the complete OAuth grant inventory, filter by sensitive or high-adoption, and drill into specific apps to see which users have authorized them.
They cannot read anyone's email. They cannot export chat. They see the authorization graph — what apps have access to Workspace data — without being able to access the data those apps could reach.
That scope is intentional. Understanding the connected app landscape is a triage and monitoring function, not a data access function.
The Part That Surprised Us
We built the Sensitive tab expecting it to be the most-used filter. The High Adoption tab turned out to be equally important, for a different reason.
In testing, the High Adoption tab was the one that generated the most "I didn't know that" reactions. Tools authorized by 50 or 60 percent of the org that had never gone through any approval process. Some of them were legitimate — widely-adopted, low-risk productivity tools that IT had simply never formalized. Others warranted immediate review.
The inventory view exists precisely to surface that gap between what IT approved and what's actually authorized.
What This Changes
A third-party app with a valid OAuth token is an indirect path into your Workspace data. If that app's infrastructure is compromised, the token is a door. Fewer active grants means fewer doors.
You can't revoke what you can't see. The first step in reducing your connected app attack surface is knowing what's actually authorized across the org — not what IT approved, but what users have connected over time.
Most teams have more doors open than they realize.
This is one of three monitoring dashboards available to the IT Support role in MonitorWorkspace. See the overview: How to Give Your Helpdesk the Right Level of Google Workspace Access.