A Scheduling App Requests Access to All Corporate Email and Calendar Entries to Sync Availability. It’s a Legitimate App Used by Millions of People. The Employee Clicks “Allow.” What Just Happened — and Was That the Right Decision?

Quick Answer

Does connecting a legitimate, widely used third-party productivity app to a corporate email account without IT approval create a compliance problem?

Yes. “Legitimate” means the app is a real product from a real company — it does not mean the data access it requests has been authorized by the employee’s organization, assessed for security risk, or reviewed for compliance with data handling obligations. When an employee grants an app access to their corporate email or calendar through an OAuth permission, they may be granting access to every email in their account — including privileged attorney-client communications, personnel data, confidential client information, and strategic planning documents. The employee typically doesn’t read the permission scope, and the app’s trust reputation does not limit what it can technically access under the granted permission.

The Situation

A marketing manager downloads a popular AI-powered scheduling assistant to manage her calendar and coordinate meeting times with external contacts. The app has strong reviews, millions of users, and is recommended by a colleague. During setup, the app requests permission to connect to her corporate Microsoft 365 account. The permission request screen reads: “This app wants to access: Read your mail (all mailboxes), Read your calendars, Read your contacts.” She clicks “Allow” without fully registering what the permission scope covers.

What she has just granted: the app’s servers now have read access to all email in her corporate inbox — including four months of email chains with Legal about an ongoing acquisition, client contract negotiations, HR communications about a pending termination, and her company’s upcoming product launch timeline. None of this was her intention. She only wanted the app to see her calendar availability.

The company does not have the scheduling app on its approved software list. The IT department has no visibility into the connection she just authorized.

Choice AContinue using the app. It’s a legitimate product with millions of users. The app company is not going to read her emails — it just needs the access to function. The convenience is real, and the risk is theoretical.

Choice BImmediately revoke the app’s permissions through Microsoft 365’s connected apps settings, report the connection to IT, and request guidance on whether an approved scheduling tool exists or whether this specific app can be assessed for approval. Do not use the app again until IT has reviewed it.

Choice CRevoke the permissions and stop using the app — but no IT report is needed since she has fixed the problem by revoking access.

The Right Call

Choice B — Revoke immediately and report to IT.

Choice A assumes that a legitimate company won’t misuse access it technically has, which may be true for the app company itself, but doesn’t account for the app’s security posture, its own data handling obligations, or whether the access it holds creates liability under the organization’s data protection commitments to clients and regulators. Choice C revokes access but doesn’t give IT visibility into a connection that exposed confidential corporate data — potentially for a period of time, during which the organization needs to assess for compliance and legal reasons. The IT report in Choice B isn’t about consequences for the employee — it’s about ensuring the organization has the information it needs to determine whether any data handling obligations have been triggered and whether any clients or regulators need to be informed.

OAuth permission scopes are not intuitive — and “read mail” means everything.

The permission screen says “read your mail.” Employees interpret this as “read the calendar events I send by email” or “read scheduling-related emails.” In practice, the permission scope “read your mail” in Microsoft 365 and Google Workspace grants access to every email in every folder of the account — sent items, deleted items, archived messages, everything. The scope the employee imagined granting is not the scope they actually granted. The gap between perceived and actual permission scope is the security risk this scenario poses.

The app’s legitimacy doesn’t limit the compliance exposure — the data it can access does.

A legitimate app with a privacy policy that promises not to read emails has just been granted read access to an email account containing attorney-client privileged communications, personnel data, and client contract information. If the organization has data processing agreements with its clients that restrict who can access client data, this connection may have violated those agreements regardless of what the app’s privacy policy says. If the organization operates under GDPR or CCPA, granting access to personal data held in the email account may have triggered obligations the organization didn’t know about. These are compliance exposures created by a permission grant — not by what the app actually did with the access.

Revoking access doesn’t undo the period during which access existed.

Revoking the app’s permission stops future access. It doesn’t affect what the app may have already processed, indexed, or stored during the period when access was granted. Many scheduling and productivity AI apps process email content to build models and provide features — the data that was accessed while the permission was active may have been used in ways that persist after revocation. IT needs to know the connection existed so they can assess the app’s data-handling terms regarding retention and deletion of processed data, and whether any notifications or remediation steps are required.

What is OAuth, and what does granting an app permissions to a corporate account actually allow?

OAuth is an authorization framework that allows third-party applications to access resources in another service — like a Microsoft 365 or Google Workspace account — on the user’s behalf without sharing passwords. When an employee grants OAuth permissions to a third-party app for their corporate account, they are authorizing the app’s servers to access the specific resources listed in the permission scope. “Read mail” in Microsoft 365 grants access to all mail in all folders. “Read calendar” grants access to all calendar entries. The permission scope is defined by the app requesting access — not by the employee’s intention in granting it.

Should employees get IT approval before connecting third-party apps to corporate email or calendar accounts?

Yes — and most organizations’ acceptable use and software approval policies require it, even if employees are unaware. IT approval involves assessing the app’s security posture, reviewing its data handling and retention terms, checking for compliance with the organization’s data processing obligations, and confirming whether the app stores or processes data in ways that are compatible with the organization’s regulatory requirements. An employee cannot perform this assessment independently — and the convenience of the app does not reduce the compliance exposure its permissions create.

How can an employee check what third-party apps currently have access to their corporate accounts?

In Microsoft 365: go to My Account → Privacy → Apps and services or access the My Apps portal and check connected apps. In Google Workspace: go to My Account → Security → Third-party apps with account access. Both platforms show all apps that have been granted OAuth access, the permission scopes each app holds, and options to revoke access. Employees who have been connecting apps without IT approval over time often discover a longer list of third-party connections than they expected when they review this for the first time.

How to Use This Scenario in Training

Recommended for all employees — this scenario is particularly effective when paired with a practical exercise: ask employees to check their connected apps in Microsoft 365 or Google Workspace immediately after the training. Most employees discover connections they forgot they made, including apps they no longer use but whose permissions are still active. That discovery makes the training tangible in a way that an abstract risk description doesn’t.

This scenario demonstrates the legitimacy rationalization from the Decision Readiness Engine™ — “it’s a legitimate app, millions of people use it” is the reasoning that makes unauthorized permission grants feel safe. Decision-ready employees recognize that an app’s reputation and legitimacy don’t determine whether its data access has been authorized by the organization — and that connecting any app to a corporate account requires IT assessment regardless of how trusted the app appears.

More Security Awareness Scenarios