I logged into an MS Teams tenant as a guest.

It then asked me to log in again for something to do with SharePoint. I’m not entirely sure what.

After dancing through an overly complex 2FA process, it then asked if I wanted this to “sign in to all apps and websites on this device?”

I did not, but the dialog also included an option for “Allow my organisation to manage my device” and this was checked by default.

In the small print this gives “my organisation” the ability to control settings, install apps, and reset the device.

No! This is my personal device. Why would I give another company such power to control it?

Or maybe I’m confused about who (or what) “my organisation” is. There’s also definite ambiguity about what it means to “manage this device to access some enterprise resources.”

Amazingly, this level of ambiguity and potentially overreaching request for permissions is something the Apple and Android stores wouldn’t allow of an app.

What are the lessons?

  • Make it clear what the entities in the message relate to.
  • Be very specific about which permissions are required and why.
  • Default to minimum permissions and allow them to easily be revoked.
  • Only ask for the absolute minimum required permissions of someone else’s account or device. How do we check we’re doing this?