Microsoft 365 application integrations
What are Application Integrations
Microsoft 365 is a suite of services used for file management, communications and collaborations. It includes services like Microsoft Teams, SharePoint Online, Exchange Online, and Office 365 applications (such as Word, PowerPoint, and Excel). In order to enhance usability and allow user customization, Microsoft allows application integrations that allow users to connect third-party services to Microsoft 365 services. These application integrations will let you do things like utilize Grammarly's writing assistance in Microsoft Word, create Zoom meeting links in Outlook, or search Wikipedia articles in Teams chats.
How do Application Integrations work
These application integrations work by requesting various levels of access to user data via Microsoft Graph permissions. Some permissions are delegated and only allow the application to act in the scope of the signed-in user. Other permissions are application-level and act with admin-level access to all accounts in the organization. These different scopes allow some permissions to be safer (like requesting read access to the files owned by the signed-in user), while other applications use permissions that are riskier (like requesting read & write access to the files of all users in the organization).
When the user adds the application integration, they will be asked to grant their consent so that the application can use various permissions.
Where do Application Integrations come from
Applications can be written by both independent developers and large companies. Regardless of who creates the application, they must register for a Microsoft Partner account to make a submission. The application is also tested, undergoing the Microsoft app certification process, before the submission is accepted. In addition, the application creator can apply for publisher verification, which means that the organization that publishes the app has undergone greater scrutiny by Microsoft. Verified publishers will have a blue check mark next to their names.
Installing Application Integrations
In order to better manage the risk involved with application integrations, our organization has created a policy to manage which applications can be used in a self-service fashion. We're restricting the self-service installation of applications to those that meet the following requirements:
- The application is from a verified publisher, denoted by the blue check mark on the consent page or the certification badge in the Microsoft app store
- The application only uses permissions that we've determined to be low-impact
These restrictions are in place to limit the organization's risk. They ensure that the application is from a reputable developer, has undergone extensive testing, and only uses low-impact permissions that have been scoped to the individual user. We're able to continue allowing self-service installation of application integrations by restricting this to applications of low-risk.
What if I cannot install the Application Integration
You may find an application integration that you would like to install, but it isn't from a certified publisher or it requires riskier permissions. In these cases, after you accept the permissions request you will be notified that a global administrator needs to grant consent. In many cases, this means that the application was designed to work only if it has application-level permissions and expects to access data from all users accounts. In these situations, we'd urge you to reconsider and perhaps find an alternative. Allowing an application that can access more sensitive types of data or can access all accounts in the organization is much riskier than allowing an application that is limited to accessing a specific account or uses low-impact permissions.
In the event that you want to use an application integration that exposes the campus to greater risk, you can request an application review. The review process involves both
- a vendor risk assessment by the Governance, Risk, and Compliance (GRC) team, and
- a permission and scope review by the Office 365 team
A GRC review is generally included when an application is purchased. In the event that this is a free application, then you can start the process by filling out their form. The review by the Office 365 team can be initiated by sending an email to office365@illinois.edu that includes the intended user group, the intended use case, and the developer's documentation regarding installation and requested permissions.