For the most part, public-facing add-ins are offered by Microsoft via AppSource and according to this:
Privacy and security for Office Add-ins - Office Add-ins | Microsoft Docs they pose little threat. However, you should always review any permissions the add-in requires to function, and that also really depends on the development of the add-in. For instance, if a company needed an Outlook add-in that was not offered through AppSource, it would fall back to performing DD on the vendor you are working with. You also need to consider privacy risks posed by the service the add-in is providing. For example, there are many add-in's for Outlook, which could be reviewing email message content, calendars, and contact lists.
I'm always interested in hearing what others are doing for due diligence and ongoing monitoring for these types of vendors.
Original Message:
Sent: 08-02-2022 05:18 PM
From: Anonymous Member
Subject: Microsoft Plug-ins
This message was posted by a user wishing to remain anonymous
Does anyone have any suggestions on review processes and/or protocols for plug-ins and add-ons within Microsoft?
Thanks