Can anyone provide any guidance about how to conduct a security review of applications that were previously authorized by users in AAD? What should we be looking for? How can we easily identify the apps with the most worrisome permissions that should get closer scrutiny?
There's no easy answer here, as you need to understand what exactly each app is used for before making a call on its permissions. I would flag and review everything that uses application permissions, and when it comes to delegate permissions, things such as impersonation, everything that requires admin consent or if I really want to get thorough, even permissions such as Directory.Read.All.