Introducing a Streamlined Process for M365 Add-in and Plugin Requests

In response to community feedback, Stanford’s Information Security Office (ISO) is excited to introduce a streamlined request process for those looking to integrate a third-party add-in or plugin with their university Microsoft account. 

The importance of vetting third-party add-ins or plugins 

With hundreds of third-party add-ins and plugins available to enhance the capabilities of Microsoft 365 applications like Outlook, Excel, Word, PowerPoint, and Teams, it’s easy to understand why these tools are enticing. But it’s also important to recognize that while some can boost productivity, others may pose significant risk. 

When you integrate a third-party add-in or plugin with your account, you may give it access to your calendar, contacts, email, and other data. To ensure your sensitive information remains secure, it’s essential that we thoroughly review each add-in or plugin. This review confirms the add-in or plugin complies with Stanford’s security and privacy standards to protect against accidental exposure and potential threats, prior to introducing it into our environment. 

How the request process works 

The good news is we’ve already completed the required review of the most frequently requested add-ins and plugins at Stanford, including EndNote 21, Calendly, and MathType. 

The results of these reviews are available in a new resource: M365 Add-ins and Plugins. Here, you’ll find a list of add-ins and plugins, along with a color-coded status that indicates the outcome of the assessment:

• Green: Approved for everyone to use with low and moderate-risk data
• Amber: Enabled by request on a case-by-case basis
• Red: Blocked but may be subject to re-review at a later date. 

As you navigate the request process, keep these points in mind: 

• If you are approved for an add-in or plugin, you can expect to gain access within three to four business days.
• If you don’t see the add-in or plugin you’re interested in, you can submit a request for it to be reviewed. (Note: The request form will be available starting Tuesday, May 27, 2025.)
• A data risk assessment (DRA) will be required if you are handling high-risk data with the add-in or plugin.
• The costs for certain university-provided services such as Zoom are covered; otherwise, you will need to purchase a license, if needed. 

Looking ahead 

For now, the review process is limited to Microsoft 365 applications. However, we anticipate expanding this workflow in the future to include plugins and add-ins for other platforms.