Overview
Microsoft has updated its security approach for Microsoft 365. As part of this 2025/2026 change, Microsoft now flags high‑risk integrations and requires administrator approval before those applications can be connected to Microsoft Office, Outlook, or Teams. To protect our Microsoft 365 tenant, institutional data, and our campus community, Information Technology has updated how these requests are handled.
What’s Changing
Microsoft's new settings automatically flags many third‑party applications as high risk and requires approval before they can be added. Under these new settings, applications are being marked as high risk without our knowledge or advance notice.
To ensure stability and consistency in our security posture, we have set (using Microsoft best practices and recommendations) a default risk level for application integrations and requirements for business use. For application integrations into the tenant, the integration permissions must:
- Come from verified publishers.
- Met low-risk permission maximums.
- Be reviewed by Information Technology and a risk assessment conducted.
What Is Still Allowed
- Approved enterprise applications (such as Zoom, Salesforce, Calendly, Slack, RingCentral, and Adobe Acrobat Reader) remain supported.
- Department‑wide, purchased solutions may be submitted for consideration of approval using the Governance, Risk, and Compliance (GRC) review process that is part of our Technology Purchase Review.
- Low‑risk, user‑initiated integrations that do not require administrator approval remain allowed.
- While integrations that are already in place and working today will remain at this time. A future audit will be conducted, announced, and communicated well in advance, so departments have time to prepare.
Need an Application Reviewed or Approved?
If your department needs an application that is not currently approved:
- Submit Technology Purchase Review a request before purchasing software or requesting any Microsoft 365 integration.
- The UT Cybersecurity Governance, Risk, and Compliance (GRC) team will review the application for security, privacy, contractual, and compliance requirements.
Important
- If the Data and Technology Risk Review has not been completed, no Microsoft 365 integration will be performed.
- This review process is the only way to integrate third‑party applications with Microsoft 365.
- Only applications that meet institutional standards after review will be considered.
- If you’re a student, your professor will need to request the necessary application and the list of students who require it.
- If you're a student worker, please have your immediate supervisor submit your request.
Why This Matters
Key Considerations
- A "low‑risk" classification does not mean no risk.
- Applications may access data or perform actions on behalf of users. If the user has access to sensitive information, the application may have access to it as well.
- Permissions, vendor practices, and software behavior can change over time.
- The number and variety of available integrations make ongoing monitoring and auditing impractical at the individual‑user level.
Limiting integrations to reviewed, enterprise‑level, and department‑wide solutions enables Information Technology to:
- Maintain consistent and centralized security oversight.
- Ensure integrations meet institutional standards.
- Support tools that serve needs across all UT campuses.
Questions or Need Help?
If you are unsure whether an application requires review or need help starting a request, contact us at ITHelp@utc.edu and include Microsoft Integration in the subject.