Executive Summary
Many third-party apps now ask to connect directly to Microsoft 365. This can be useful, especially when an app needs to work with Outlook, Teams, SharePoint, OneDrive, calendars or user accounts.
However, approving an app is not just a routine IT task. Depending on the permissions requested, you may be giving that app access to company emails, files, user details or other sensitive business data.
Before authorising a new app, your business should understand what access is being requested, why it is needed, how the app protects data, and what happens if you later remove it. This guide explains the main questions to ask before saying yes.
Introduction
It often starts with a simple request.
A member of staff has found a useful app that could save time, automate a task or improve the way your business works. To get started, the app asks for permission to connect to Microsoft 365.
That does not automatically mean the app is unsafe. Many trusted business tools need some level of Microsoft 365 access to function properly.
The important point is that not all permissions are equal. One app may only need to confirm a user’s identity. Another may ask to read emails, access files, update calendars or connect to data across the wider organisation.
That is why app approval should be treated as a business decision, not just a technical one.
Why app approval matters
Microsoft 365 often holds some of your organisation’s most important information. That may include client data, contracts, financial documents, HR information, internal conversations, emails and commercially sensitive files.
When a third-party app is approved, it may be allowed to access some of that information.
Microsoft describes consent as the process of allowing an application to access protected resources, such as user, email or calendar data. Some requests can be approved by users, while others need administrator approval.
For a business, the question is simple:
Would we be comfortable giving this app the access it is asking for?
If the answer is not clear, the request should be reviewed before it is approved.
What is the app asking to access?
The first thing to check is what the app wants to access and whether that access makes sense.
For example, a calendar booking tool may reasonably need calendar access. A document workflow tool may need access to certain SharePoint files. But if a simple sign-in app asks for full mailbox access or broad file permissions, that should raise a concern.
It is also important to understand the level of access being requested. Can the app only read data, or can it also change, delete or export it? Can it access only one user’s information, or could it access data belonging to other people in the business?
Some apps act on behalf of a signed-in user. Others may be granted wider permissions that allow them to access data more broadly across the Microsoft 365 tenant. That difference matters.
A good app should follow the principle of least privilege. In plain English, this means it should only ask for the access it genuinely needs. Microsoft also recommends requesting the least privileged permissions required for an app to work correctly.
If the app asks for more access than expected, the vendor should be able to explain why.
How will the app handle your data?
Approving an app does not always mean your data stays inside Microsoft 365.
Some apps process, copy or store information in their own systems. That may be perfectly acceptable, but your business should understand what is happening before access is granted.
The key questions are where the data is stored, whether it is transferred outside the UK or European Economic Area, how long it is retained, and whether it can be deleted if the app is no longer used.
You should also check how the vendor protects the data. For example, does the app encrypt data while it is being transferred and while it is stored? Does the vendor have clear security documentation? Are there recognised security standards or certifications, such as ISO 27001, Cyber Essentials or SOC 2?
Not every supplier will have the same level of documentation as a global software provider, but they should still be able to explain how they protect your information.
For UK businesses, data protection also needs to be considered. If the app processes personal data, you may need to think about UK GDPR, privacy notices and whether a Data Protection Impact Assessment is required. The ICO says a DPIA is required where processing is likely to result in a high risk to individuals.
This does not mean every app needs a full compliance review. But apps handling sensitive data, large volumes of personal data or client information should be checked carefully.
Can you trust the vendor?
The app is only one part of the decision. You also need to trust the organisation behind it.
Before approving access, look at whether the vendor is established, whether they provide proper support, where they are based, and whether they publish clear privacy and security information.
It is also worth checking whether the app is listed or verified within Microsoft’s ecosystem, whether other businesses use it, and whether the terms are suitable for business use.
Be cautious with unknown developers, free tools with unclear funding models, or services that do not explain how they use customer data.
A useful test is this:
Would we be comfortable giving this organisation access to the data it is requesting?
If not, the app should not be approved without further review.
Who else could access the data?
It is not enough to ask what the app can access. You also need to ask who can access the app.
For example, can any employee connect it? Can users invite external people? Can the vendor’s support team view your data? Can the app’s own administrators see information that originally came from Microsoft 365?
This matters because data can become exposed indirectly. An app may be approved for one person or team, but then allow wider access through its own sharing settings.
Ideally, the app should support role-based access. This means people only get access to the features and data they need for their role. Your business should also be able to control who can use the app, rather than allowing anyone with a company account to connect it.
Does it fit with your existing security controls?
Your Microsoft 365 environment may already use security measures such as Multi-Factor Authentication, Conditional Access, device controls and sign-in monitoring.
A new app should not weaken those controls.
Check whether users can sign in securely using their Microsoft account, whether MFA is supported, whether access can be limited to approved users, and whether activity can be logged and reviewed.
This is especially important if the app can read, export, change or delete information. Without useful logs, it can be difficult to understand what happened if something goes wrong.
You should also consider whether the app connects Microsoft 365 to other systems, such as CRM software, finance platforms, HR tools, cloud storage or artificial intelligence services. Each extra integration creates another place where data may be sent, stored or shared.
That does not mean integrations are bad. It simply means they should be understood before they are approved.
What happens if you remove the app later?
It is easy to focus on getting an app working. It is just as important to understand how you would remove it.
Before approving a new app, check whether access can be revoked easily, whether removing the app removes all permissions, and whether the vendor keeps any data afterwards.
You should also consider whether data can be exported before cancellation, whether retained data can be deleted on request, and whether there are any licence or cancellation terms that could affect the business.
This is your exit strategy.
A trustworthy app should make it clear how access can be removed and what happens to your data when you stop using the service.
A simple approval checklist
Before authorising a new Microsoft 365 app, your business should be able to answer these questions:
- What business problem does the app solve?
- What Microsoft 365 data does it need to access?
- Are the permissions reasonable for what the app does?
- Could it access data belonging to other users?
- Where will the data be stored, processed and retained?
- Is the vendor reputable and transparent?
- Does the app support your security controls, including MFA?
- Can access be logged, reviewed and removed later?
- Could the app change, delete or overwrite business data?
- Are there GDPR, privacy, licensing or cancellation considerations?
If the answers are unclear, pause before approving the request.
Microsoft provides tools such as user consent settings and admin consent workflows to help organisations manage how app consent requests are reviewed.
It is also sensible to review approved apps periodically. An app that was useful a year ago may no longer be needed, or its permissions may no longer be appropriate.
Final Thoughts
Third-party apps can be very useful. They can save time, improve processes and help Microsoft 365 connect with the other systems your business relies on.
But every app approval is also a trust decision.
You are deciding whether another organisation should be allowed to access part of your Microsoft 365 environment. In some cases, that access may include sensitive company or personal data.
The safest approach is not to block every request. It is to ask the right questions before saying yes.
A short review before approving an app can help prevent bigger problems later.
Need help reviewing a Microsoft 365 app request?
If you are unsure whether to authorise a new app in your Microsoft 365 tenant, Get Support can help.
We can review the permissions being requested, explain the risks in plain English, and advise whether the app should be approved, restricted or rejected.
We can also help configure Microsoft 365 consent settings, review existing third-party app access, strengthen security controls, and put a practical approval process in place for future requests.
If someone in your business has asked to connect a new app to Microsoft 365, speak to Get Support before granting access.
FAQs
It can be safe, but only if the app is reputable, the permissions are appropriate, and the data risks are understood. The important thing is to review the request before approving it.
Admin consent is when an administrator approves an app’s requested permissions, often on behalf of the organisation. It is usually required when an app asks for wider or more sensitive access.
Yes, some apps can request permissions that go beyond one user’s own data. This is why mailbox, SharePoint, OneDrive and tenant-wide permissions should always be reviewed carefully.
Treat it as high risk. Ask why that level of access is needed, whether a lower level of access would work, and what safeguards are in place before approving it.
Yes. Get Support can review the app request, explain the permissions in plain English, check for obvious risks, and help your business decide whether to approve, limit or reject the request.