Security · Governance · Microsoft 365
Risks of giving AI access to your 365
Businesses are being asked to hand AI tools the keys to their email, files and calendars — and told that anything less than full access won’t work. Here’s what’s actually being asked for, what’s already gone wrong, and what to do about it.
Someone finds an AI tool. It reads their inbox, summarises meetings, drafts replies, answers questions about contracts. The demo is superb. To work on real data it needs connecting to Microsoft 365 — and the connection screen asks for rather more than anyone expected.
IT explains that the permissions cover every mailbox in the business, not just the requester’s. That the setup guide wants a Global Administrator. And the answer, increasingly, is a shrug: I don’t care. Just turn it on.
That’s a decision a business owner is entitled to make. It is worth making it with the facts.
What you’re actually being shown
Here’s a realistic composite of what a mid-market AI assistant asks for when it wants to be genuinely useful.
The whole story is in the suffix. Mail.Read reads your mailbox. Mail.Read.All reads everyone’s. Three characters separate a personal productivity tool from tenant-wide surveillance, and the consent screen renders them in identical grey text.
| What it asks for | What it actually gets | Blast radius |
|---|---|---|
| Mail.Read | The signed-in person’s mailbox only | One mailbox |
| Mail.Read.All | Every mailbox in the tenant, including the directors’ and HR’s | Whole organisation |
| Mail.Send.All | Send mail as anyone — including your MD, to your bank | Invoice fraud on a plate |
| Files.ReadWrite.All | Every file in every SharePoint site and OneDrive | Whole organisation, destructive |
| Sites.FullControl.All | Full administrative control of all SharePoint sites | Effectively SharePoint admin |
| Directory.ReadWrite.All | Modify users, groups and app permissions | Can escalate its own privileges |
| Sites.Selected | Only the specific sites you explicitly name | Exactly what you chose |
| offline_access | A refresh token — access that continues with nobody present | Persistence |
Two things worth understanding. Delegated permissions mean the app acts as a signed-in person and can never see more than they can. Application permissions mean it acts as itself, with no user, no login, no session to expire — running at 3am on a Sunday with the same reach it has at 3pm on a Tuesday. That’s why they need an administrator: an ordinary user can’t give away data that isn’t theirs.
So when an AI tool insists on Global Administrator, it’s usually not because setup is complicated. It’s because nobody else can grant what it’s asking for. Sometimes that’s honest. More often the vendor simply never did the work to scope it — asking for Files.ReadWrite.All takes no engineering effort, and naming the three sites it actually needs does.
Microsoft’s own guidance: Only administrators in your entire organisation should hold Global Administrator. An AI connector or user with AI is not one of them.
You’re not buying an AI. You’re buying a pipe.
Most tools sold as “AI for your business” don’t train models or run them. They’re brokers: middleware that holds a credential to your 365, pulls data out, forwards it to somebody else’s model, and pipes the answer back. Zapier is the famous example; the pattern now covers hundreds of automation platforms, notetakers and inbox assistants.
So you’ve consented to a chain, having read the name of only the first link: your tenant → the connector (which sees everything in the clear) → their cloud (queued, logged, retained) → a model provider you didn’t choose → their hosting, analytics and support tooling.
Take Zapier’s own published position — useful precisely because it’s transparent, not because it’s bad. Zapier is a processor. It hosts in AWS in the United States. By default it retains task history — the actual content that passed through — for 29 to 69 days. Enterprise can shorten that to 7–30. It won’t sign a BAA for health data.
That’s a competently run vendor doing normal things. The point is that even the good version means a copy of the email your solicitor sent you sits on a third party’s infrastructure in another country for up to two months. Now multiply by every AI tool in your business, and note that the median vendor is nowhere near as forthcoming.
On the scraping question, honestly: reputable providers do carve training out, and they mean it. But “not used for training” is far narrower than “not retained”. Everyone in that chain logs — for abuse detection, debugging, billing, support — and those logs hold your content, on infrastructure you don’t control, readable by staff you haven’t vetted. The carve-out is also a property of the tier, not the brand. Employees don’t read tier terms; they sign up with a work email and paste in a contract.
And you cannot audit what you cannot see. Three days before this article was published, someone checked.
It was told not to open any files. It uploaded the entire repository.
On 12 July 2026 a researcher publishing as cereblab put xAI’s Grok Build coding assistant through an interception proxy and watched what it sent. The test prompt was blunt: reply with exactly “OK”, and do not read or open any files. The tool complied — and uploaded the whole repository anyway, as a Git bundle, to a Google Cloud Storage bucket named grok-code-session-traces. Cloning the captured bundle brought back a planted file the agent had been explicitly told not to touch.
The proportions are the story. On a 12 GB test repository, the channel doing the actual work carried around 192 KB. The storage channel carried 5.1 GiB, in 73 chunks, every one accepted — roughly 27,800 times more data than the task required. Canary credentials planted in a .env file came through unredacted. Secrets committed and deleted months earlier went too, because the full Git history travelled with the bundle.
The “Improve the model” toggle — what any reasonable person would read as the data-collection control — had no effect. The server kept returning trace_upload_enabled: true. The setting that actually stopped it was undocumented and never surfaced in the interface.
xAI moved quickly once it was public: within a day a server-side flag had switched the uploads off, verified independently, and Elon Musk promised on X that everything collected would be deleted. But there has been no security advisory, no changelog entry, and no statement on how long the data was held or how many people were affected — and the upload code reportedly remains in the binary, held back by a flag that can be flipped the other way. Equivalent tests of Claude Code, Codex and Gemini CLI didn’t show the same behaviour. Grok Build was the outlier, not the norm.
What this actually is: nobody was breached. No attacker, no malware, no stolen token — a legitimate provider’s tool, working as built, sending far more than its own privacy control implied. This is a coding assistant rather than a 365 connector, so treat it as the mechanism rather than the instance. But the mechanism is the same one you are about to authorise, and the only reason anybody knows is that one person thought to watch the wire.
What has actually gone wrong
Not hypotheticals. The public record of the last twelve months.
They didn’t hack anything. They asked the AI nicely.
In March 2026 Meta gave an AI support assistant the power to reset passwords and perform account maintenance across Facebook and Instagram. Attackers worked out that they could simply open a chat, give the bot a target’s username and an email address they controlled, and ask it to link the two. The bot did. It sent a verification code to the attacker’s inbox, accepted the code back, and offered a Reset Password button. It bypassed two-factor authentication. At no point did it check whether the person asking owned the account.
404 Media broke the story on 1 June 2026 after high-profile accounts fell — including the Obama White House account, a US Space Force account and Sephora. Meta’s own breach filing put the total at 20,225 users who lost access to contact details, dates of birth, profile information, their posts, their account activity and their direct messages. Meta says it doesn’t know what the attackers read. The attackers had roughly seven weeks.
Meta’s explanation is the most instructive sentence in this entire article: the tool functioned as intended, but a separate code path failed to verify that the email address matched the account.
What this actually is: not a hack. No malware, no exploit, no phishing. An AI was given a powerful permission and an attacker asked it to use that permission. It obliged, because that’s what it was for. Every AI tool in your tenant is one missing verification step away from this.
An AI chatbot’s tokens became a skeleton key for hundreds of companies
Drift was an AI chat platform integrated with Salesforce. Attackers compromised Drift’s own infrastructure and stole the OAuth tokens Drift held on behalf of its customers. Over ten days they queried and bulk-exported data from more than 700 tenants — Cloudflare, Google, Palo Alto Networks, Proofpoint, Zscaler among them.
They weren’t after CRM records. They combed exported support cases for secrets — AWS keys, Snowflake tokens, VPN credentials, passwords customers had pasted into tickets — and used them to move into entirely separate environments. Then they deleted the query logs behind them.
What this actually is: not one of those organisations was breached at its own perimeter. Every one had made a correct, deliberate, individually reasonable decision to connect a legitimate tool. The tool was the perimeter, and it belonged to someone else.
One employee’s abandoned AI trial cost the company its customer data
A Vercel employee downloaded a consumer AI office app from Context AI and connected it to their corporate Google account. Then they stopped using it. Nobody revoked it.
Context AI was breached in March 2026 and hackers compromised OAuth tokens for its consumer users. One of those tokens was still live. Attackers used it to take over the Vercel employee’s account and reach internal systems, including credentials that weren’t encrypted. Vercel confirmed customer data was stolen, warned it may affect hundreds of users across many organisations, and told customers to rotate their keys.
What this actually is: OAuth grants don’t expire when interest does. Every AI tool anyone has ever trialled in your tenant is still connected unless somebody actively disconnected it. Go and look — it takes ten minutes and you won’t enjoy it.
A credential from 2022 took down about 200 companies at once
Klue, a market intelligence platform, was breached via a credential it had issued in 2022 for a limited pilot and never decommissioned — four years of standing access nobody was watching. The attackers took the keys Klue held to its customers’ cloud services, used them to break into those environments, stole the data and extorted the companies. Close to 200 were affected, including LastPass, HackerOne and Jamf.
What this actually is: the vendor’s credential hygiene is your credential hygiene. You inherit every ageing token in their database, and you will find out about it when they do.
Every outbound email, quietly copied, for a week
An attacker published an npm package mirroring a legitimate connector that lets AI assistants send email. Fifteen versions were faithful copies. They worked. They passed scanning. They earned trust. Version 1.0.16 added one line: a hidden BCC on every message to an attacker-controlled address. Password resets, invoices, customer correspondence. Because the mail flowed through the organisation’s own infrastructure, SPF and DKIM passed and nothing looked wrong.
What this actually is: an AI connector is a dependency an agent invokes repeatedly, with production credentials, unattended. A malicious library inside an app is bad. A malicious tool inside an agent’s toolbox is an insider.
Your incident response plan doesn’t work here
Read those together and the pattern should worry you. In none of them did an attacker crack a password. In none did MFA fail. In several, MFA was completed correctly by the real user. Access was granted properly, by someone with authority to grant it — and then stolen or abused.
Resetting passwords does nothing
Microsoft’s own guidance on illicit consent grants says it plainly: password resets and MFA are not effective against this attack class, because the application is external to your organisation and doesn’t need an account in it.
An app with Mail.Read.All keeps reading every mailbox after you reset every password in the business. It keeps reading after you enforce MFA everywhere. It keeps reading after the person who consented has left. It stops when somebody revokes the grant and kills the refresh tokens — and not before.
Where you stand legally
Short version, because most businesses aren’t going to produce a stack of paperwork for this.
You are the controller, and that never transfers. Decide to route customer email through an AI tool and you own the consequences. Not the vendor. If they lose the data, it’s your breach, your notification, your fine, your letters to customers. The ICO’s ceiling is £17.5m or 4% of global turnover.
No contract, no lawful processing. UK GDPR Article 28 requires a written contract with any processor handling personal data on your behalf. A free-tier signup with a work email isn’t one. The processing is unlawful from the first prompt — before any attacker appears, before anything “goes wrong” at all.
A DPIA is mandatory here, not optional. Connecting AI to the whole corpus of your email and documents hits several ICO triggers at once: innovative technology, large-scale processing, invisible processing, and special category data about your own staff. The ICO treats this as a gate before you start, not a document produced afterwards to justify a decision already taken — and it expects you to show which less risky alternatives you considered and why you rejected them.
Your customer contracts probably bar it anyway. Most commercial agreements — and effectively all public sector, financial services and enterprise ones — restrict sub-processing or require notice. Connecting an AI tool to the mailbox handling that client’s account can breach the contract regardless of what the ICO thinks.
And the professional duties don’t bend. Legal privilege, medical confidentiality, FCA obligations, safeguarding. A solicitor routing client correspondence through an unassessed third party has a problem that has nothing to do with data protection law.
What to do instead
Prohibition doesn’t work — staff route around it and you lose visibility entirely. Give people a good option so they don’t find a bad one.
Safest: keep it inside the tenant
Microsoft 365 Copilot. Prompts, responses and Graph data stay inside the Microsoft 365 service boundary. Not used to train foundation models. Covered by your existing agreement, honours your sensitivity labels, logs to Purview.
The catch: Copilot respects the permissions you already have, and most organisations’ permissions are a mess. It won’t show a user anything they can’t access — but it will surface, in seconds, everything they technically could have found and never would have. Fix the oversharing first, not after.
Azure AI Foundry in your own subscription is the right answer for bespoke internal tooling: your region, your network, your logs, no broker in the middle.
Acceptable: third party, properly scoped
Delegated permissions over application permissions wherever a signed-in user exists. Sites.Selected rather than Sites.ReadWrite.All — and note the trap: adding a broad scope like Files.Read.All alongside it silently defeats the restriction. Exchange application access policies to bind a mail-reading app to named mailboxes. Certificate credentials over client secrets. A named internal owner and a review date.
Refuse outright
Anything requiring a standing Global Administrator account. Anything requiring tenant-wide write access for a read-only job. Anything that can’t name its sub-processors. Anything with no contract behind it.
Nine controls, this week
- Enumerate what’s already connected. Entra → Enterprise applications. Everyone finds something.
- Turn off user consent or restrict it to verified publishers and low-risk permissions. This one toggle would have prevented several incidents above.
- Enable the admin consent workflow so requests arrive as tickets, not discoveries.
- Disable device code flow via Conditional Access unless you have a documented need.
- Audit Global Admins. More than four? Fix it today. Move to PIM for just-in-time elevation.
- Alert on consent grants in the audit log — especially
IsAdminConsent = True. - Turn on app governance in Defender for Cloud Apps if you’re licensed.
- Fix SharePoint oversharing before enabling any AI that reads files.
- Owner and review date on every grant. Quarterly. Start with anything untouched in 30 days.
Before you approve any AI tool
The seven questions that matter
The bottom line
Giving an AI tool full access to Microsoft 365 isn’t a configuration. It’s a decision to let an external company read every confidential thing your business holds — your commercial position, your legal advice, your customers’ data, your employees’ private circumstances — indefinitely, through a chain you haven’t met, with a persistence that survives every incident response step your team knows.
Sometimes it’s worth it. Usually a scoped version delivers most of the value at a fraction of the exposure, and the only reason it wasn’t chosen is that nobody spent the afternoon. Either way it’s a decision that should be made deliberately, by someone with the authority to make it, who’s willing to put their name on it.
Accepting takes four seconds. Meta’s attackers had seven weeks. Klue’s credential sat there for four years. Nobody in any of those stories thought they were making a decision at all.
Sources
- 404 Media — Hackers simply asked Meta AI to give them access to high-profile Instagram accounts (1 June 2026).
- Google Cloud Threat Intelligence Group — Widespread data theft targets Salesforce instances via Salesloft Drift (August 2025).
- TechCrunch — Vercel confirms customer data stolen via breach at Context AI (April 2026).
- TechCrunch — The worst hacks and breaches of 2026 so far (Klue / Icarus).
- Snyk — Malicious MCP server on npm: postmark-mcp harvests emails; disclosure by Koi Security.
- Microsoft Learn — Microsoft Graph permissions overview; Detect and remediate illicit consent grants; Best practices for Microsoft Entra roles.
- ICO — Guidance on AI and data protection; When do we need to do a DPIA?
- Zapier — Data privacy overview.
- The Hacker News — Grok Build uploaded entire Git repositories to xAI storage, not just files it read (July 2026); original wire capture by cereblab, published as a gist. Follow-up on xAI’s response: The Register.
General information for IT and business decision-makers, not legal advice. Data protection outcomes turn on the specific facts of your processing — consult a qualified practitioner before relying on any of it. Vendor terms and product behaviour change frequently; verify against primary sources before deciding.
