That's a good question, it does look like Cloud App Security might help at least somewhat, if that's not overkill -
Connect Office 365 to Microsoft Cloud App Security
"After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs."
Manage app permissions
"Many third-party productivity apps that might be installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Office 365, G Suite and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. This problem is compounded by the fact that IT may not have enough insight to weigh the security risk of an application against the productivity benefit that it provides."
It goes on to say:
"Because accepting third-party app permissions is a potential security risk to your organization, monitoring the app permissions your users grant gives you the necessary visibility and control to protect your users and your applications. The Cloud App Security app permissions enable you to see which user-installed applications have access to Office 365 data, G Suite data and Salesforce data, what permissions the apps have, and which users granted these apps access to their Office 365, G Suite and Salesforce accounts. App permissions help you decide which apps you allow your users access to, and which ones you want to ban."
All this functionality does come at a cost - "Get Microsoft Cloud App Security as part of Enterprise Mobility + Security E5 or as a standalone service. Cloud App Security is available at $3.50 per user per month estimated retail price".
