[finaliteration]

Agreed. However some service providers (like GitHub) allow a user with admin access to approve any OAuth app the first time it’s “launched” if they are the ones initiating the request, rather than using a pre-defined allowlist approach which I believe is what Office 365 does.

My wish would be for some sort of multi-person approval process rather than allowing anyone who is an admin to authorize an app. Even admins can be susceptible to a targeted and advanced attack.

Also, many people (like myself before my own “failure”) simply aren’t aware of OAuth apps as a serious attack vector. Most remedial training around phishing campaigns covers things like fake login pages but not “An attacker has spoofed an internal domain and an OAuth app with your company’s name in it”.