Audit Your Connected Apps: Revoke Third-Party Access Before It Bites You

Every time you tapped "Sign in with Google," "Connect to Microsoft," or "Allow this app to access your account," you handed out a standing key. Most of those keys are still active, for apps you forgot, trials you abandoned, and services that may since have been breached. After a year of supply-chain attacks where a single connected app exposed data across hundreds of companies, the smartest 15 minutes you can spend on your own security is auditing and pruning your connected apps. Here is how.

Key takeaways

• A connected app holds an OAuth token, a long-lived key that lets it access your account without your password and without re-triggering MFA.
• Tokens persist for years until revoked, so old and abandoned connections quietly accumulate as risk. If that app gets breached, your data goes with it.
• You can review and revoke connected apps in minutes from your Google, Microsoft, and Apple account security pages.
• Apply least privilege: keep only the apps you actively use, and be especially wary of anything that requested broad access to email, files, or contacts.
• Make it a habit, a quick audit every three to six months keeps the list short and your exposure low.

Why connected apps are a real risk

When you connect a third-party app to your account, you do not give it your password. You grant it an OAuth token, a credential that lets the app act on your behalf within the permissions you approved. That is genuinely better than sharing a password, but it has two sharp edges.

First, the token is long-lived. It keeps working until you explicitly revoke it, so an app you used once two years ago may still have a live key into your account today. Second, the token bypasses your defenses. Because it represents an already-granted authorization, an attacker who steals it does not face a password prompt or an MFA challenge, the token is the access.

That is exactly the mechanism behind 2026's biggest supply-chain breaches: attackers compromised a connected app, stole its OAuth tokens, and used them to reach the data behind it across many victims at once. We break down the corporate version in our piece on the Salesforce OAuth supply-chain attacks. The personal-account version is smaller in scale but identical in shape, and the defense is the same: keep the list of connected apps short.

How to audit each major account

The flow is similar everywhere: find the connected-apps page, look at what each app can access, and remove anything you do not actively use or recognize.

Google

1. Go to your Google Account security page and open Third-party apps with account access (at myaccount.google.com/permissions).
2. Click each app to see exactly what it can access, note anything with full account access or broad Gmail, Drive, or Contacts scopes.
3. For anything you no longer use or do not recognize, click the app and choose Delete all connections to revoke it.

Microsoft

1. Sign in at account.microsoft.com, open Privacy, then Apps and services that can access your data.
2. Click an app or its edit option to review the permissions it holds.
3. Choose Remove these permissions to revoke access for anything stale or unfamiliar.

Note that on Microsoft, revoking permissions stops new access but existing sessions may persist until they expire or you sign out, so for anything suspicious, also sign out of active sessions.

Apple

For your Apple Account, review Sign in with Apple apps in your account settings (or under Settings, your name, Sign in with Apple on an iPhone or iPad) and stop using Apple sign-in for any app you have abandoned.

Here is where to find each list and what revoking actually does on that platform:

Account	Where to audit	What revoking does
Google	myaccount.google.com/permissions	Invalidates the token immediately; app loses all granted access
Microsoft	account.microsoft.com then Privacy then Apps and services	Stops new access; existing sessions may persist until expiry, so also sign out
Apple	Settings then your name then Sign in with Apple	Stops the app using your Apple identity; you may need a password reset to keep using it
GitHub / Dropbox / Slack	Each service's own Settings then Connected apps	Revokes that service's token; check these separately, they are not in the big three

How to judge what to keep

Not every connection is equally risky. As you go down the list, weight your decisions by how much access the app holds and how much you trust and use it.

• Revoke aggressively anything you do not recognize, have not used in months, or only connected for a one-time task or trial.
• Scrutinize broad scopes. An app that can read and send your email, manage all your files, or see all your contacts is a far bigger liability than one that only knows your name and email. The broader the access, the higher the bar for keeping it.
• Keep, but stay aware of, the handful of apps you actively rely on. Even these are worth a periodic sanity check, a tool you trust can still be breached.

The guiding principle is least privilege: the fewer apps with access, and the narrower that access, the smaller the damage when one of them is inevitably compromised.

Make it a habit

A one-time cleanup is good; a recurring one is better. Connected apps accumulate silently as you try new services, so the list grows back if you never look. Put a reminder on your calendar to run this audit every three to six months. It takes a few minutes once the list is already short, and it ensures a service you forgot about, one that may since have been breached, is not still holding a live key.

Pair this with the rest of your account hygiene. Strong, unique passwords and phishing-resistant MFA protect the front door of your accounts; pruning connected apps closes the side doors. And if you discover an app you do not recognize had access, treat it as a possible compromise and follow up with our data-breach response checklist.

Frequently asked questions

Will revoking an app's access break anything?

It will stop that app from accessing your account, so a service you actively use will need you to reconnect or sign in again next time. For apps you no longer use, there is no downside. When unsure, revoking is the safer default, reconnecting a tool you actually need takes seconds.

Is "Sign in with Google/Apple" safe to use?

Yes, it is generally safer than creating yet another password, because you are not sharing credentials with the app. The risk is not the sign-in itself but the accumulation of forgotten connections over time. Use it freely, and audit the resulting list periodically.

What is the difference between deleting an app and revoking access?

Deleting an app from your phone removes the software, but the OAuth token it was granted can remain active on the server side. Revoking access at your account's security page is what actually invalidates the token and cuts off the connection.

How often should I do this?

Every three to six months is a sensible cadence for most people. If you sign up for a lot of new services, or after any breach involving an app you connected, do it sooner.

Sources

• Google: Third-party apps and services with access to your account
• OneCal: How to revoke third-party app access from your Microsoft account
• Waldo Security: How to revoke third-party SaaS app permissions in Google Workspace
• DoControl: How do I revoke OAuth access from unauthorized apps?
• MakeUseOf: How to revoke third-party access to your Microsoft account