Most IT admins I talk to feel reasonably confident about their Microsoft 365 security posture.
They’ve rolled out MFA. Conditional Access is in place. Devices are enrolled in Intune. Defender is switched on. On paper, it all looks solid.
But when you dig deeper—really dig into the tenant—you start to see something else entirely.
There’s a layer of access sitting underneath all of that. It’s not obvious. It doesn’t show up in the usual dashboards. And in many environments, no one is actively monitoring it.
I’m talking about things like:
- OAuth applications with persistent access
- Service principals that nobody owns
- API permissions that quietly bypass your Conditional Access policies
- Tokens that outlive the controls you think are protecting you
This is what I call the “invisible attack surface.”
And in my experience, it’s one of the most consistently overlooked risks in Microsoft 365—especially in otherwise well-secured environments.
In this article, I’m going to walk through where this risk actually lives, how it gets introduced (often unintentionally), and what you can realistically do about it without breaking your environment.
Quick Fix Summary
If you’re short on time, these are the first things I’d do:
- Audit all enterprise applications and remove anything unused or unknown
- Disable or restrict user consent for third-party apps
- Assign owners to every service principal in your tenant
- Review high-privilege API permissions immediately
- Start monitoring OAuth activity in Defender for Cloud Apps
The Problem: You’re Securing Users, Not Access
Here’s the uncomfortable truth.
Most Microsoft 365 security strategies are built around users and devices.
- Require MFA
- Enforce Conditional Access
- Lock down endpoints
That’s all good—and absolutely necessary.
But modern attacks don’t always rely on logging in as a user.
They rely on getting access once… and keeping it quietly.
That’s where OAuth apps and service principals come in.
Because once an application has been granted access—especially via delegated permissions—it can operate in ways that don’t trigger the same controls you’ve carefully put in place.
And that’s the gap.
Where This “Invisible” Risk Actually Comes From
OAuth Apps: The Silent Permission Grant
One of the most common scenarios I see is this:
A user signs up for a third-party tool—maybe something harmless like a productivity app or reporting dashboard. They click “Sign in with Microsoft,” accept the permissions, and move on.
No ticket. No approval. No visibility.
Behind the scenes, that app might now have:
- Read/write access to their mailbox
- Access to files in OneDrive or SharePoint
- The ability to query directory data
And here’s the kicker—that access persists.
Even if:
- The user forgets about the app
- The app is no longer used
- The user leaves the organisation
I’ve reviewed tenants where dozens (sometimes hundreds) of these apps were sitting there, completely unmonitored.
Service Principals: The Forgotten Identities
Then you’ve got service principals.
These get created whenever an application is registered or integrated. In theory, they’re controlled and managed.
In reality?
They’re often:
- Created during a project
- Used briefly
- Never reviewed again
No owner. No lifecycle. No governance.
And yet, some of them hold high-level permissions into your tenant.
This is where things start to feel uncomfortable, because you quickly realise:
👉 You don’t actually know what has access to your environment anymore.
API Permissions: Where Controls Start to Break Down
This is the part that surprises most people.
We tend to assume that Conditional Access and MFA cover everything.
They don’t.
Those controls are primarily designed around interactive user sign-ins.
But when access is happening via:
- APIs
- Tokens
- App-based authentication
…those controls may not apply in the same way.
I’ve seen scenarios where:
- MFA was enforced perfectly for users
- But an app with delegated permissions could still access data without re-triggering those checks
That’s not a misconfiguration—it’s just how the model works.
And attackers know it.
What This Looks Like in a Real Incident
Let me give you a realistic scenario I’ve seen variations of more than once.
- A user account is compromised (phishing, token theft, etc.)
- The attacker registers or connects an OAuth app
- They grant it high-level permissions (mail, files, directory)
- Even if the password is reset…
- The app still has access
No noisy login attempts. No obvious alerts.
Just quiet, ongoing access to data.
That’s why this attack surface is so dangerous—it doesn’t behave like traditional compromise.
How to Start Getting Visibility (Without Breaking Everything)
This is where most people go wrong—they either ignore it, or they go too aggressive and break integrations.
You need a middle ground.
Start With What You Already Have
Head into:
- Microsoft Entra ID
- Enterprise Applications
Sort by:
- Permissions
- Last sign-in
- Publisher
You’ll quickly spot:
- Apps with broad access
- Apps that haven’t been used in months
- Apps nobody recognises
That’s your starting point.
Use PowerShell to Get the Bigger Picture
If you want a clearer view across the tenant:
Connect-MgGraph -Scopes "Application.Read.All"Get-MgServicePrincipal | Select DisplayName, AppId, AccountEnabled
This will surface:
- All service principals
- Including the ones the portal view tends to hide in plain sight
Then Layer in Some Control
This is where you start tightening things up—carefully.
- Restrict user consent for new applications
- Enable admin approval workflows
- Assign owners to critical apps
- Review high-risk permissions first (don’t try to fix everything at once)
The goal isn’t perfection—it’s visibility and control.
The SaaS Problem Has Changed (And Most People Haven’t Noticed)
A few years ago, “shadow IT” meant users installing random software.
Now it means:
- Browser-based tools
- AI platforms
- SaaS integrations connected via OAuth
And the barrier to entry is basically zero.
Users don’t think they’re doing anything risky—they’re just trying to get their job done.
But from a security perspective, every one of those connections is a potential data access point.
And unless you’re actively monitoring it, you won’t even know it exists.
Additional Tips / Pro Tips
Assign ownership everywhere
If an app doesn’t have an owner, it shouldn’t exist long-term. Ownership drives accountability.
Don’t go on a deletion spree
Killing apps blindly will break business processes fast. Always validate usage first.
Start with high-risk permissions
Focus on apps with:
- Mail.ReadWrite
- Files.ReadWrite.All
- Directory access
That’s where the real exposure is.
Use Defender for Cloud Apps if you have it
This is where visibility really improves—especially around OAuth usage and risk scoring.
FAQ Section
What is the Microsoft 365 “invisible” attack surface?
It refers to hidden access paths like OAuth apps, service principals, and API permissions that operate outside normal user-based security controls.
Are OAuth apps inherently unsafe?
No—but unmanaged or over-permissioned apps introduce significant risk, especially when they persist over time.
Can attackers bypass MFA using OAuth apps?
In some scenarios, yes. Once access is granted via tokens, MFA may not be re-evaluated depending on how access occurs.
How often should I review enterprise applications?
At a minimum quarterly—but realistically, high-risk environments should review continuously or monthly.
What’s the fastest way to reduce risk?
Restrict user consent and review high-permission apps. That alone significantly reduces exposure.
Conclusion / Actionable Takeaways
If you take one thing away from this, it should be this:
👉 Your Microsoft 365 environment is bigger than your user list.
There’s an entire layer of access—applications, tokens, integrations—that most teams don’t actively manage.
And that’s exactly why attackers target it.
Practical next steps:
- Audit all enterprise applications this week
- Identify and review high-permission apps first
- Restrict user consent going forward
- Assign ownership to every service principal
- Build ongoing visibility—not just a one-off cleanup
From experience, this is one of those areas where a few hours of focused work can dramatically reduce your risk profile.
It’s just not the area most people think to look.
Last Updated
April 2026 – Reflects current Microsoft Entra ID, OAuth security model, and evolving SaaS-based attack vectors.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.