If your business uses Microsoft 365 applications, you or your employees may have encountered a pop-up window requesting permission to access various account data.
In this article, we'll cover choosing the safest option next time you encounter this pop-up.
What Is the "Permissions Requested" Pop-up?
This innocuous-looking window pops up from time to time within programs such as Outlook, Teams, SharePoint, and others. It prompts users to grant a specific app or add-in permission to access parts of their Microsoft account.
Users are quick to press the Accept button to remove the pop-up; however, as with any unsolicited request, caution is key, especially considering the sensitive nature of the business data in your Microsoft 365 account.
Understanding the Dangers of Overly Broad Access
At first glance, a request for permission may seem minor or necessary to use a certain program feature, but have you considered what exactly you may be granting access to? And more importantly, WHO are you granting it to?
You could be granting a third-party the ability to:
- access all files within your account, both reading and writing;
- read all of your emails and send emails as you;
- read and modify any calendar you have access to;
- read all of your contacts;
- read Teams chat messages;
- read all full user profiles within Microsoft 365;
- and much more.
By approving these requests without understanding, you could unwittingly hand over control of your entire Microsoft environment and any contained data to an unknown third party. They would have ongoing access, potentially even after the app is removed.
Legitimate Uses
Certain apps and add-ins within Microsoft 365 do have legitimate integration needs. For example, your job scheduling CRM may require calendar and email access.
A project management tool allowing teams to collaborate directly within SharePoint may also need permission to upload files on behalf of users.
In these cases, granting an appropriate amount of permission makes sense.
What to Look For in a "Permissions Requested" Pop-Up
The key is to carefully review the proposed permissions for all external apps and add-ins, and understand precisely what access is required.
For example, reviewing the name of the requesting app or add-in can help determine if it's something your company has purposefully installed or a potentially suspicious third-party program. If it says "Unverified" or "This app may be risky," it might be best to press the Cancel button for now.
Check which specific permissions are being asked for. Does it make sense for a graph-making add-in to ask for full access to your emails and their contents? Probably not.
Checking with Your IT Team
If any aspect of the request seems ambiguous, vague, or overly broad in scope, it's always best to approve it only once it can be validated by your company's IT staff or managed service provider.
Their oversight helps ensure all access to Microsoft 365 data aligns with approved usage policies and does not inadvertently enable unauthorized or unintended access that could pose future risks. Even if it requires delaying approval, taking these extra precautions is well worth it to help maintain a secure environment.
After all, it's much easier for your IT staff to investigate before sensitive data is exposed than to deal with potential security issues or breaches later.
If you have any questions or are concerned that you may have given an App too much access in the past, reach out to us by dialing 610-599-6195, and we will be glad to help.