Risks of granting third-party AI tools access to data hosted on PolyU O365
- Third-party AI tools hosted on the Microsoft Cloud and running as applications under a Microsoft subdomain can leverage the Microsoft Graph API to access PolyU O365 user data if explicit permission has been granted by PolyU users.
- Granting third-party AI tools access to your O365 mailbox, calendar, MS Teams, and OneDrive folders risks exposing PolyU internal or sensitive data, which those tools might use for model training or other purposes.
- Besides your personal O365 data, third-party AI tools can also access other data resources to which colleagues have granted you permission. In particular, most shared data resources on PolyU O365 are granted to user groups.
How to Protect University Data
- Carefully review requests to grant third-party AI tools hosted on Microsoft Cloud access to data hosted on PolyU O365.
- Be skeptical of third-party AI tools which offer “free” services (e.g. meeting transcription for O365/MS Teams). Once granted access to your calendar, third-party tools can join MS Teams meetings booked on your calendar and record the meeting without your joining.
- Revoke access for unused or suspicious third-party AI apps via the Microsoft My Apps portal.
- Report abnormalities detected in your O365 data resources to the IT HelpCentre.
Please watch our video for a quick overview.
If you need further information, please contact the IT HelpCentre (Tel: 2766 5900, WhatsApp/ WeChat: 6577 9669) or reach out via the IT Online ServiceDesk.
