Troubleshooting Using Non-Microsoft Applications within Microsoft 365


Introduction

This article describes what you might experience the first time you try to use a non-Microsoft application (i.e., an unmanaged application) within the Microsoft 365 environment. It also explains what to do in the event that you do experience the items below

  • What you might see on the screen
  • An email that you might receive

The process is designed to ensure security, compliance, and governance standards are upheld before any third-party application is approved for use within the organization.

Instructions

Unmanaged or third-party applications within the Microsoft 365 (M365) environment must go through an approval process before they can be used within Virginia Tech's M365 environment.

Submitting a request for review

You might have encountered this approval when you tried to add a new application. You are presented with a disclaimer indicating that "Approval Required." This prompt includes the specific permissions the application is requesting and provides a text box where the user must enter their justification for the request. In order to proceed with this prompt, you must enter a justification and click Request Approval. Unfortunately, this does not actually send out a notification for approval; it merely clears the prompt. The next step you must take is to put in a request for approval at Marketplace App Request.

As mentioned earlier, when you click on Request Approval, this does not actually notify an admin of your approval request; however, you will receive a confirmation email with the subject line, "Action needed for admin user consent". This email is a reminder that you must fill out Marketplace App Request to get your app reviewed for use. If you have already completed the form for this application, you do not need to do it twice.

The Admin Review Process 

The review process takes time; it cannot be expedited.

 

Evaluation Criteria 

Weekly, individuals meet to review these requests, ~20 per session. Each request is evaluated against the following criteria:
  • Whether the functionality is already covered by built-in Microsoft 365 tools
  • Data classification and data movement implications
  • Alignment with organizational data governance policies
  • Sensitivity of requested API scopes (e.g., read/write access to files, mail, or directory objects)
  • Vendor trustworthiness, compliance posture, security documentation, and existing contracts
  • Whether permission requests resemble known illicit consent attack patterns
This process also includes reviewing existing apps that were integrated without formal review.
If a blocked app or integration is needed and meets the low-cost/low-risk criteria, users can submit a low-cost/low-risk assessment request at Low-Risk Low-Cost Software.