Overview

1. Introduction to OAuth for Microsoft, Google Workspace and Zoom (this document)
2. Understanding OAuth Permissions for Microsoft 365, Google Workspace, and Zoom 
3. Manage OAuth permissions for Microsoft 365, Google Workspace, and Zoom

What is OAuth?

OAuth allows users to approve a website or application's request to access their specific account information (ex: Microsoft 365 calendar or Google contacts) without needing to share their password or create a separate account specifically for the app.

For example, when a website (ex: Spotify) offers multiple login options such as Google, Facebook, and Apple, it is offering an OAuth option to login in and access its services (ex: Spotify's music library). This login option enhances security and reduces the risk of security concerns if an app experiences a data breach. For example, if Spotify experiences a data breach and you signed in with your Google account, your Google password is less vulnerable because Spotify did not have access to it. 

Example 1: Spotify

Example 2: Doodle

While, OAuth provides many security benefits, it still has some risks. Understanding how OAuth works and what to watch out for is important for your online security.

Why does this matter to me?

While OAuth does not share your password with apps, it gives apps the ability to perform actions on your behalf. For example, AI assistant apps (ex: Fellow, Fireflies) are prevalent and allow users to sign up for their service using a Microsoft 365 or Google Workspace account to log into their app. In this example, the AI assistant app might request access to the user's Microsoft 365 calendar. For convenience purposes, the AI assistant bot might attempt to join all meetings (ex: Teams, Zoom, Webex) the user is invited to to document the meeting's discussion. This can be be disruptive if the meeting host and attendees do not expect the AI assistant to attend and record the meeting. This can be a concern if private conversations are recorded by an app that has not gone through campus vetting or a Cybersecurity risk assessment. While it might not seem like a big deal at first, OAuth can be misused if not handled properly. 

It is important to be cautious when granting OAuth permissions to websites or applications that require access to your UW-Madison account for privacy and security purposes. This is critical for individuals in the UW Health Care Component (UW HCC). 

When do I interact with OAuth?

Most applications offer login options using OAuth. If you signed into an app using your Microsoft 365 or Google Workspace account rather than directly creating an account through the app, you have used OAuth. Common apps that are integrated with UW-Madison Microsoft 365, Google Workspace, and Zoom apps include Calendly, Fellow AI Notetaker, Fathom AI Notetaker, Mentimeter, Asana, ChatGPT, and more. You can reduce your risk of a compliance violations, security concerns, and more by using apps that have been campus vetted. If you have any questions about integrating an application with your UW-Madison accounts, please consult your IT department. 

Managing OAuth Permissions

It is important to regularly review and remove third-party apps that have access to your UW-Madison accounts such as your Microsoft 365, Google Workspace, and Zoom accounts. This especially important if you use third-party AI apps. Learn how to manage OAuth permissions. 

Resources

• What do OAuth Permissions actually mean?
• How to revoke/review OAuth Permissions
• OAuth 2.0
• OAuth Articles