Policy


The implementation of Connor Groups policy for the use of 3rd party application integrations is generally applied by technical controls that will allow a user to install 3rd party application integrations which meet the criteria of this policy. 


If the installation of a 3rd party application integration requires administrator consent by these controls, a business case for the use of the application must be presented for evaluation.


Generally, review and acceptance of 3rd party application integrations will be flexible and accommodating of requesters and the applications they wish to use with their Connor Group IT resources.  However, incorporation of a 3rd party application will be declined if:


  • The application is from a publisher that lacks a mature online presence and lacks an acceptable privacy policy
  • The permissions required by the application are too intrusive.
  • The application requires any of the following permissions:
  • Read the whole directory.
  • Read / write user’s mailbox data
  • Send email as the user
  • Exercising of administrative permissions on behalf of the user
  • Reading OneDrive data.
    • Data security agreements between Connor Group and our clients forbid giving 3rd parties access to client data without the client's consent


A partial list of acceptable 3rd party application permissions and criteria for evaluation and guidance:

  • The application is registered by a "verified publisher" (blue check) with Microsoft
  • The application permissions are limited to:
    • Read calendar data
    • Read contact data
    • Sign users in
    • Sign in and read user's profile
    • View users' basic profile
    • View users' email address
    • Maintain access to data you have given it access to


Implications


All prospective 3rd party applications must undergo a security and feasibility evaluation before authorizing an integration with our standard productivity tools.  Connor Group has contractual obligations with our clients to perform these evaulations as part of our client data security agreements.  It is also a necessity for sound supply chain risk management. IT management will incorporate suggestions in the ongoing considerations for tooling within our environment. However, it is simply impractical to evaluate every possible 3rd party application for integration suggested for use with our standard productivity tools (Office 365, Zoom, and Slack).  


We ask that you make full use of the suite of productivity and communication tools we already make available to all our professionals (Zoom, LucidChart, the suite of Microsoft 365 tools and more). Our support team can provide further insight into our existing tooling options if you'd like to describe in detail where your need is not being met.   


Otherwise, any additional application integrations will automatically work if their security profile and permission set are in alignment with our established policies.  Any resources or tooling that request additional administrative approval will do so as part of their setup.  When this is the case, those tools or resources are not approved for usage.  In other words, applications are automatically approved for usage if the 3rd party application only requires integration permissions that are pre-approved, and the application vendor is a "verified publisher" with Microsoft.