The Hidden Risks of User-Installed Apps in Microsoft 365

The Microsoft 365 platform offers unparalleled flexibility, enabling users to collaborate, share, and automate workflows through an expansive catalog of third-party and custom-developed applications. But that convenience comes with a cost.

When end-users are allowed to install apps without centralized oversight, organizations face a wide array of security, compliance, and operational risks—many of which are easily overlooked until it’s too late.

This blog explores the seven most critical threat categories associated with ungoverned app installations in Microsoft 365—and outlines practical steps to reduce risk without stifling productivity.

1. Excessive Permissions: More Access Than Necessary

Threat Overview:

Many Microsoft 365 apps request OAuth permissions far beyond what they actually need. For example, a simple productivity add-in may ask for Mail.ReadWrite, Files.Read.All, or even Directory.ReadWrite.All—permissions that, if granted, allow it to read every user’s emails, access shared drives, or modify organizational settings.

Real-World Example:

In 2020, Microsoft reported that malicious OAuth apps were being used in phishing campaigns to trick users into granting these excessive permissions. Once access is granted, there's no password to steal—the attacker has a persistent token.

Mitigation Strategies:

• Implement admin consent workflows to review all app permission requests before they’re granted.
• Use Microsoft Entra ID (formerly Azure AD) to limit user consent settings, only allowing low-risk permissions or specific verified publishers.
• Regularly audit app permissions using tools like Microsoft Defender for Cloud Apps and Microsoft Graph API.

2. Data Exfiltration: A Backdoor for Corporate Data

Threat Overview:

Apps that request access to files, chats, or mailboxes can transmit data to external systems—bypassing traditional DLP tools and firewalls. This is especially problematic in industries handling sensitive data (e.g., finance, healthcare, legal).

Example:

In the DataSpii breach, several Chrome extensions were found collecting users’ browsing data—including Microsoft 365 URLs like SharePoint and Outlook—and sending it to external servers. The extensions operated undetected, bypassing traditional DLP tools and exposing sensitive corporate information until flagged by independent researchers.

Mitigation Strategies:

• Apply Microsoft Purview DLP policies to detect and block data sharing anomalies.
• Use App Governance (available in Defender for Cloud Apps) to monitor outbound traffic and app behaviors.
• Disable third-party OAuth app access unless reviewed and approved by IT/security teams.

3. Malicious or Compromised Apps: The Trojan Horse Effect

Threat Overview:

Attackers often disguise malware or backdoors as useful tools, publishing them as legitimate apps on Microsoft’s platform. Alternatively, legitimate apps can be compromised post-deployment due to insecure development practices or vulnerable libraries.

Case in Point:

Attackers have exploited malicious Microsoft 365 OAuth applications—often disguised as tools like file converters or calendar utilities—to gain persistent access via OAuth tokens. These apps can bypass multi-factor authentication and remain active even after a user changes their password, unless manually removed by an administrator. Microsoft has documented such tactics, highlighting the need for strict app consent policies and regular reviews of enterprise application access.

Mitigation Strategies:

• Maintain an approved list of verified apps from trusted vendors.
• Conduct static and dynamic analysis on any in-house developed apps using Microsoft’s security testing tools.
• Enable continuous monitoring through Microsoft’s security center, looking for anomalies in app behavior.

4. Compliance Violations: Unintentional Breaches of Regulatory Requirements

Threat Overview:

Apps can introduce significant compliance issues if they store or process data in ways that violate GDPR, HIPAA, GLBA, or other industry-specific regulations. Most third-party apps don’t provide sufficient transparency into data flows and residency.

Risks:

• HIPAA-covered entities may inadvertently share PHI with apps that are not Business Associate Agreement (BAA) compliant.
• GDPR fines can exceed €20 million for data exported outside of approved regions.

Mitigation Strategies:

• Use Microsoft Purview Compliance Manager to track app compliance posture.
• Require vendors to provide Data Processing Agreements (DPAs) and transparency around data residency.
• Enforce conditional access policies to restrict use of apps in sensitive departments (e.g., HR, legal, finance).

5. Impersonation & Phishing: A New Attack Vector

Threat Overview:

OAuth apps can impersonate users via access tokens, allowing them to send phishing emails from legitimate user accounts or access sensitive information as that user—without triggering alerts.

Example:

In a recent campaign, attackers impersonated European political figures and contacted targets via messaging apps like Signal and WhatsApp. They invited victims to join video calls discussing geopolitical events, directing them to malicious OAuth consent links. Once the victims granted access, the attackers obtained authorization codes, enabling them to impersonate users, access emails, and integrate attacker-controlled devices into the organization's Microsoft Entra ID (formerly Azure AD). This method bypassed traditional credential theft, leveraging legitimate OAuth workflows to maintain persistent access.

Mitigation Strategies:

• Configure app consent policies to block risky permissions such as Mail.Send, User.ReadWrite.All, or Chat.ReadWrite.All without admin approval.
• Use Microsoft Defender for Office 365 to enable impersonation detection and phishing protection policies.
• Require MFA for all users, even if access is token-based.

6. Lack of Visibility: Shadow IT by Another Name

Threat Overview:

When users install apps freely, security teams lose visibility into what data is accessed, shared, or stored externally. This leads to configuration drift, data sprawl, and elevated attack surfaces.

Microsoft’s Recommendation:

According to Microsoft, app visibility is one of the core pillars of Microsoft 365 security baselines. Yet most organizations do not monitor or even inventory apps installed across departments.

Mitigation Strategies:

• Use Microsoft Defender for Cloud Apps Discovery to identify unsanctioned apps.
• Build custom reports using Microsoft Graph to catalog app installations, permissions, and access logs.
• Establish governance through App Governance add-on for Microsoft Defender, which provides behavioral insights and policy enforcement.

7. Configuration Drift: Weakening Security from Within

Threat Overview:

Apps with admin-level permissions can modify security settings—including disabling MFA, altering conditional access policies, or enabling risky features like anonymous link sharing.

Business Impact:

This can degrade your entire security posture, particularly if security configurations are misaligned with CIS, NIST, or SCuBA baselines.

Mitigation Strategies:

• Implement Microsoft 365 Desired State Configuration (DSC) or Policy Analyzer to detect unauthorized changes.
• Use change detection policies in Microsoft Defender for Identity to flag unusual administrative activities.
• Lock down admin APIs unless explicitly needed.

Final Thoughts: Risk Reduction Without Killing Productivity

Organizations don’t have to choose between security and innovation—but they do need to implement a well-governed application approval and monitoring framework within Microsoft 365.

By disabling default user consent, enabling app governance tools, and building a culture of security awareness, businesses can give users the tools they need without opening the door to unnecessary risk.

Strengthening Microsoft 365 Security with Compass

At Compass, we help organizations strengthen their Microsoft 365 environments by identifying security gaps and implementing actionable improvements. Our Microsoft 365 Security Assessment is designed to evaluate your tenant’s configuration, access controls, and policy enforcement against best practices and regulatory frameworks—including CISA’s Secure Cloud Business Applications (SCuBA) guidance. We review critical components such as Exchange Online, SharePoint Online, Microsoft Teams, and Entra ID (formerly Azure AD), identifying excessive permissions, risky app access, misconfigurations, and compliance concerns. Each assessment includes a detailed conformance report with prioritized remediation guidance, and we work alongside your team to address high-impact issues.

Whether you're looking to improve visibility, tighten app governance, or align with security baselines, Compass provides the expert insight and support needed to protect your Microsoft 365 environment. Contact us to discuss your unique M365 challenges.