Exchange Apps/Add-ins May Share Your Personal Information with Third-Party Services

On January 7, 2017

[dropcap]H[/dropcap]ow many of you know that Microsoft Exchange on-premises and Exchange Online in Office 365 can share your personal data with third party services? For example, any map addresses found in an Exchange email are send to Bing. These addresses can be shared with a third-party service. But there is much more that can be shared with these third-party services. Do you know who these third-parties are? Let me explain what I am talking about and then I will tell you how you can prevent this sharing of personal data.

Exchange Server 2013

If you go to the Exchange 2013 admin center, you will see an organization link on the left hand side that you can configure. When you click on the link you will see the following three options:

sharing
apps
address-lists

Click on the apps link and you will find that the following five apps are already installed for you by default. You cannot uninstall these apps, and you cannot delete them because the delete button is grayed out.

Exchange Online in Office 365

In Office 365 Exchange Online, you will also see the organization link in the Exchange admin center on the left hand side, but there are only two options that you can configure.

sharing
add-ins

[highlight]The apps in Exchange 2013 on-premises are called add-ins in Exchange Online in Office 365. The text that describes the apps/add-ins is almost identical, with some minor differences that don’t change the meaning of the text.[/highlight]

What Do the Apps Do?

In this article, I will use the screenshots from Exchange 2013 admin center. These apps are almost identical to the add-ins in Exchange Online. There are five apps installed by default and each serves a different purpose.

Action Items
Bing Maps
My Templates
Suggested Meetings
Unsubscribe

The first screenshot at the beginning of this article displays the Action Items app. The following four screenshots depict the remaining apps. As you can see, four of the five apps say “This app will not share your data with any third-party service.” The Bing Maps app says “This app will send addresses to Bing but will not share your data with any third-party service.”

What’s unique about these apps is that:

They are all installed by default in Exchange 2013 and in Exchange Online in Office 365.
They are all enabled by default.
They can not be uninstalled or deleted, but they can be disabled.
They all assure you that the app will not share your data with any third-party service.
They all warn you that the app may share your data with a third-party service.

So what does this mean? In plain English, it means that the app will not share your data, but the app may share your data. Are you confused? Welcome to the club.

What Kind of Information Can Be Shared?

The information shared with the third-parties can include the following personal information in any message or calendar item in Microsoft Exchange on-premises or Exchange Online in Office 365:

The subject of your email message.
The body (i.e. all the content) of your email message.
The name of the sender.
The name of all the recipients.
Any attachments that you included in your message.
Any phone numbers that were included in your message body or subject.
Any postal addresses that were included in your message body or subject.
Any URLs that you typed in your message body or subject

Disabling the App

Although these apps/add-ins can’t be deleted or uninstalled, luckily you have the ability to disable them. If you don’t like Microsoft to share your personal information, simply double-click the app/add-in and clear the box Make this app available to users in your organization. You can also change the default behavior, so it is disabled, or force the app to always be enabled so the users can’t disable this app. I guess this option is for those third-parties who receive all the personal user data (just kidding!).

When you disable the app, the Provided To column changes from Everyone to Nobody. In the example below, all the apps are disabled. Compared this to the first two screenshots where the Provided To option was set to Everyone.