performing-oauth-scope-minimization-review

# Performing OAuth Scope Minimization Review ## When to Use - Annual or quarterly review of third-party application OAuth permissions - After a security incident involving compromised OAuth tokens or unauthorized data access - Compliance audit requiring documentation of third-party data access (GDPR Article 28, SOC 2) - Discovery of shadow IT applications accessing organizational data via OAuth grants - Migration or consolidation of SaaS applications requiring permission cleanup - Implementing least-privilege principle for API integrations **Do not use** for reviewing first-party application permissions within the same trust boundary; OAuth scope minimization focuses on third-party and cross-boundary consent grants. ## Prerequisites - Admin access to identity providers (Microsoft Entra ID, Okta, Google Workspace) - Microsoft Graph API permissions: Application.Read.All, OAuth2PermissionGrant.ReadWrite.All - Inventory of approved third-party integrations from procurement or IT governance - OAuth scope risk classification framework - Tools for token analysis (jwt.io for manual review, automated scripts for bulk analysis) ## Workflow ### Step 1: Inventory All OAuth Grants and Consent Permissions Enumerate all OAuth application registrations and delegated permissions: ```python """ OAuth Grant Inventory - Microsoft Entra ID Enumerates all application registrations, service principals, and delegated/application permission grants. """ import requests import json from collec...