When you have your users on office 365, they tend to use integrate their account with third party cloud applications.
The advantage and dis-advantage of using office 365 is that it integrates seamlessly with the third-part cloud application.
One such application that i came across is that CloudHQ. It is very good product. When you work with different client, and their respective application, CloudHQ, helps get those information to one place.
For example, If a user has a office 365 mailbox and a gmail account. He can extract all the emails from office 365 and transfer it to gmail account.
All you have to do is just authenticate authroize CloudHQ to use your office 365 account.
CloudHQ can do lot more than what i just described.
To some organization, they don’t want their user to take the corporate data to external application which is not allowed.
How a user can sign-up to these applications (I user CloudHQ as an example)
Go to the website
Sign-up using the office 365 account
Logon screen to office 365
Authorize CloudHQ to your office365 account,
As soon as it is done, admin can see this application under Enterprise application list
Right now, this user has authorized CloudHq to access the office365. From CloudHQ, you can authorize your personal email account, such as gmail, as the destination to copy the emails.
To avoid this,
You might wonder if disable active sync or other features may allow you to control access of the users – NOPE.
Even if you disable EWS, user will be able to authorize the application to access their office 365 account.
The only way to control this is by setting the restriction in Azure portal. You can block all the application except few MS application or which ever way works for you.
Hope this was useful.