One M365 Setting That Lets Employees Give Apps Full Email Access
There is a setting inside every Microsoft 365 tenant that most business owners have never seen. It controls whether your employees can grant third-party apps full access to their email, calendar, and files — without asking you first. And in most tenants, it is turned on by default.
I am not talking about downloading software or installing programs. I am talking about those pop-up windows that say “This app would like to access your email” with a big blue “Allow” button. When an employee clicks Allow, they are handing over the keys to their entire mailbox. And you will never get a notification that it happened.
What Happens When an Employee Clicks Allow
When someone on your team connects a third-party app to their Microsoft 365 account — a calendar tool, a CRM integration, a mobile email app — that app gets a permission token. Think of it as a digital key that lets the app read, send, and delete emails on behalf of your employee.
Here is the part that surprises most business owners: that digital key does not go away when you change the password. It is a completely separate access path. We recently wrote about a case where an app held full mailbox access for 46 months — through multiple password resets. The password changes did nothing because the app had its own key.
This is not a theoretical risk. It is how real breaches happen in small businesses every day.
Why This Microsoft 365 Security Setting Matters
The default configuration in most Microsoft 365 tenants allows any user to grant apps access to their own data without admin approval. That means your receptionist, your sales team, your office manager — anyone can connect any app and give it full access to company email.
Most of the time, the apps are legitimate. But sometimes they are not. And even legitimate apps can be compromised or sold to new owners who use that access for something else entirely. If you have ever offboarded an employee and wondered whether all their connected apps were cleaned up, this is exactly the problem.
Where to Find It and What to Change
Log into your Microsoft 365 admin portal. Go to the Azure admin center (it is now called Entra). From there:
- Click on Enterprise Applications in the left menu
- Click on Consent and permissions
- Click on User consent settings
You will see an option that says something like “Users can consent to apps accessing company data on their behalf.” Change this to “Do not allow user consent” or restrict it to only verified publishers with low-risk permissions.
Once you make this change, any time an employee tries to connect a new app, it will require an admin to approve it first. That admin — probably you or your IT provider — can review what the app is asking for before granting access.
What to Do About Apps Already Connected
Changing the setting going forward is step one. But you also need to look at what has already been approved. In the same Enterprise Applications section, you can see a list of every app your users have consented to. Review it. If you see apps you do not recognize or apps that have full mailbox access, revoke them.
In our experience, most businesses with 10 or more employees have at least a few app consents that should not be there. It is not that your team did anything wrong — they just clicked Allow because the app told them to. The system was designed to make it easy. That is the problem.
Not sure what else is exposed in your Microsoft 365 setup? Take our free 2-minute IT assessment to find out where your biggest gaps are — and what to fix first.
