Assessing the Risks of Outlook Add-ins

TL;DR We write every word in our blog posts, but asked AI to summarize it

Add-ins for Microsoft 365 and Outlook extend functionality and empower end-users to be more productive. But they can’t do anything until IT grants them permissions, which isn’t as scary as it sounds.

Microsoft Outlook is jam-packed with features for email, calendar, and contact management, but its capabilities don’t have to end there. A rich ecosystem of add-ins has emerged over the decades of Outlook’s dominance in the enterprise market to turn it into an even more functional and interconnected platform.

But are all those add-ins safe to introduce to your IT ecosystem? Let’s take a look at what considerations to contemplate before hitting the “Install” button.

Maintain control with selective authorization

Within Microsoft 365, apps and add-ins can’t communicate until they’re proactively granted permissions. In recent years, Microsoft 365 has moved to OAuth 2.0 for authentication and for third-party applications and add-ins to access key capabilities and features, such as retrieving the list of channels in a particular Team or recently accessed files via Microsoft Graph. harmon.ie has also adopted this authentication method, which is more secure and enables IT to authorize individual permissions or sets of permissions, which are called scopes.

Authorizing these permissions and scopes may be uncomfortable for diligent IT departments focused on mitigating risks rather than introducing them. While most apps aren’t asking for anything they don’t truly need to function, it’s still worthwhile to consider each element of the permissions request to ensure it’s a legitimate and necessary permission to grant. 

Note that these permissions and scopes must be granted at the enterprise level to allow the app in question to execute those queries, and without access add-ins won’t be able to execute key functions, such as posting to a channel on Teams or sending a new message in a chat.

Remember, IT ultimately controls the situation. Even if an end-user manages to install an add-in, it won’t work without consent from the global admin.

Stick with certified add-ins

Microsoft itself offers a number of certifications for partners and specific add-ins that can give you confidence that a particular add-in meets rigorous privacy and security criteria.

First and foremost, only installing add-ins from Microsoft AppSource already raises the bar on quality. Those vendors must be approved by Microsoft and each add-in gets certified. Some add-in providers then go through the Microsoft 365 App compliance program, which includes an independent audit of each app’s compliance and security frameworks. This approval is particularly crucial when the add-in is making calls to Microsoft Graph.

Beyond Microsoft, look for ISO certifications or other signifiers of the app developer going the extra mile to further build your confidence and trust in the solution and vendor in question.

harmon.ie and permissions

harmon.ie uses best practices to ensure customers aren’t sacrificing security for convenience. The app only asks for delegated permissions rather than application permissions. These permissions are the least privileged intersection of the delegated permissions harmon.ie was granted through consent and the privileges of the currently signed-in user. 

That means harmon.ie never has more privileges than the user, so they can never access any content on Teams or SharePoint that the user is not authorized to see. If the end user can’t navigate to a library or open a file via the Teams app or a SharePoint site, they won’t be able to do it using harmon.ie either.

Here are some examples of the permissions harmon.ie requests and why the app needs them:

  • User.Read—Allows users to share content with people in Teams using harmon.ie.
  • Files.ReadWrite.All—Allows users to access their M365 files from harmon.ie.
  • MyFiles.Write—Allows users to access their OneDrive files from harmon.ie.
  • Mail.Read—Allows users to save emails to M365 with harmon.ie.
  • Chat.ReadWrite—Allows harmon.ie to display files that were shared in chats and meetings.

If the above seems problematic, rest assured that in no case is user data ever leaving your tenant. harmon.ie has no back-end servers or databases, these permissions merely allow the sidebar in Outlook to interact with inbox contents and what’s on Teams, SharePoint, and OneDrive, and only when initiated by the end user.

“Permit” your colleagues to be more productive

IT remains the gatekeeper for what add-ins like harmon.ie can and can’t do. But with the full picture of why these permissions are needed and the context of how they enable harmon.ie to bridge the gap between Outlook and Teams and SharePoint, you can rest easy knowing harmon.ie doesn’t introduce any security risks or change what end-users can or cannot access.

With customers in highly regulated and security-conscious industries, including Government and Financial Services, you’ll be in good company and can have full confidence that the harmon.ie add-in will simply make you and your colleagues more compliant and productive.

To learn more, check out how harmon.ie’s add-in is helping financial services giant Allianz, government agencies in Canada, and many more organizations around the world maximize their investment in Microsoft 365.

Did you find this content interesting? Subscribe to stay updated.

Happy New harmon.ie! 🎉🚀

New harmon.ie official release is out!
Try our
Web add-in now and manage your M365 files from every Outlook.