What should I do?
Choose the appropriate option based on what kind of service you have used and what you have used it for.
I was not aware I had used this service!
That's understandable—many users have signed into a service with their UiO account in Microsoft 365 and granted access to UiO data without realizing the extent of it.
It varies from service to service how clearly they have requested permission to connect to your UiO account in Microsoft 365, what rights and permissions they actually gain, and it can therefore have been unclear in the moment that you granted the service access to UiO data.
You may have signed in with your UiO account in Microsoft 365 to test something, download a service, or use a web service, and simultaneously (often with one click) granted the service access to data in Microsoft 365—such as your user profile, email, files, or contacts.
Many of these services may be outdated and no longer actively used.
You may have received a request via email, it could have come through Teams, or you might have chosen Microsoft 365 sign in on a website. It is possible that you have granted permission to connect the service to your UiO account in Microsoft 365 without being aware of it.
I do not recognize the services mentioned in the email and don't know what they are. Why can't UiO tell me exactly which service this concerns?
In some cases, UiO only receives the name or title provided by the service itself when it connects to your Microsoft 365 account, known as appDisplayName. This name can be generic or uninformative, and does not always provide enough information to identify the exact service. Therefore, we cannot always confidently specify which service it refers to, and we ask you to assess whether you recognize the name mentioned in the email and if you are indeed using the service.
If you do not recognize the service, you can see if you can find it through this website:
How do I log in to the service to manage my data, account, or sign-in method?
How to log in to the service to manage your data and sign-in method:
-
Open the service
-
This could be via a website, an app on your phone, a program on your computer, or similar—depending on the specific service.
-
You can sign in to the service via https://myapps.microsoft.com and start the service from there to ensure you are using the correct service and account.
-
-
Select “Sign in with Microsoft”
-
This option may also be labeled “Continue with Microsoft,” “Microsoft,” “Microsoft 365,” “Office 365,” or similar.
-
Sometimes it is found under “More sign-in options” or “Enterprise login.”
-
The sign-in screen may look like the example below, but this can vary from service to service.
-
-
-
Use your UiO account
-
Enter your UiO username (username@uio.no) and password.
-
-
Locate and delete your data, switch sign-in method
-
Look for settings, profile, or privacy menus.
-
Choose to delete your account or remove stored data associated with your UiO account.
-
Switch sign-in method
-
Will I loose access to my UiO account or Microsoft 365 at UiO?
No. You will keep you UiO account and access to Microsoft 365 at UiO. Removing access for an external app or service does not affect your UiO account or Microsoft 365 access. You will keep your access to services such as Word, Excel, Powerpoint, Sharepoint, OneDrive, Teams, etc.
This action only revokes permissions that the external app had to your UiO data.
What does it mean that I have given consent or permissions to a service?
By signing in, you as a user have given the service consent or permission to gain certain rights and permissions to your UiO account in Microsoft 365. The rights and permissions each service requests vary from service to service.
The services you have used may have gained access to your user profile, email, files, or contacts. By granting permission, the service may gain the right to read, write, modify, or use this data.
This is what it may have looked like when you granted the service permission to access certain rights and permissions to your UiO account in Microsoft 365 (example in Norwegian only):
What does it mean that I have "signed in with my UiO account in Microsoft 365" in a service?
It means that you have used your UiO account in Microsoft 365 to grant a service access to your data, often via a standard sign-in (e.g., "sign in with Microsoft" or "sign in with school or work account").
Here is an example of what such a sign in might look like:
What should I do if “Sign in with Microsoft” (or similar) doesn’t work?
If “Sign in with Microsoft” (or similar) doesn’t work, it may mean that the connection between your UiO account and the service has already been removed.
- First, try signing in via https://myapps.microsoft.com to check if the service is still available there.
- If you cannot access it, you may need to contact the service provider directly to request deletion of your account and data.
State that you previously used Microsoft sign-in with your UiO account, and that this access has now been removed.
Example wording you can use when sending a deletion request to the service provider:
“I request permanent deletion of my account and all data related to it.”
Am I affected as a student?
Both employees and students have used services through sign in with their UiO account in Microsoft 365. Students rarely have sensitive information stored in Microsoft 365, so the risk associated with you as a student having used an unauthorized sign in method and/or unapproved service is probably low. However, we still need your help in solving this for UiO.
Why do I need to delete data in the services if access will be removed?
Removing access restricts new access and prevents you from signing in with your UiO account in Microsoft 365, but existing data may still be stored in the service. Therefore, you also need to delete data directly in the service before access is restricted to ensure complete deletion.
What do rights and permissions mean in this context?
In this context, rights and permissions refer to what a service is allowed to do with your data when you sign in with your UiO account. When you approve a service, you grant it specific permissions (rights) to retrieve or use information related to you.
For example, it may mean that the service may have access:
- To read and send emails on your behalf
- To view or edit files you have stored in OneDrive, SharePoint, or Teams
- To read calender appointments and contacts
- To use your name, email address, and other profile information
Some services may only request access to your user profile, while others may ask for more extensive permissions. Therefore, it is important for UiO to necessary assessments before such services are used with UiO accounts.
I can’t sign in to the service to delete data. Why?
Many of these services are connected to your UiO account through Microsoft 365’s sign-in solution. This means you have not created a username and password for the service – instead, you sign in through Microsoft using your UiO credentials.
If you try to sign in directly on the service with a “local” account, it will often not work. Instead, you should:
-
Choose “Log in with Microsoft,” “Sign in with Microsoft,” “Continue with Microsoft,” or similar
-
Use your UiO username and password
-
Alternatively, go via https://myapps.microsoft.com and start the service from there
When you sign in via SSO, you will get access to the same account that has the data, and you can delete it.
The sign-in options may look like this:
Here is another example:
I have only used my UiO account to sign in to a service I use privately; why is that a problem?
That's understandable, and many have done the same without being aware of the implications. However, even if the service is used for private purposes, it can pose a risk when your UiO account in Microsoft 365 is used for sign in because:
- You grant the service access to your UiO account in Microsoft 365 and potentially to data such as email, calendar, contacts, or files, even if you are not actively using the service.
- UiO has a responsibility for the information security and data privacy associated with the account—even in such cases.
Therefore, it is not permitted to use your UiO account in Microsoft 365 to create private user accounts in services.
It is also unfortunate to use the UiO account for private purposes because you lose access to the account when your association with UiO ends.
If you wish to continue using the service for private purposes, you should create a user account with a private email address instead.
Can I get help retrieving data from the service?
No, the IT department unfortunately cannot assist with retrieving data from services you have used. This is because UiO does not have a data processing agreement with the service provider. UiO does not have access to the data or authority to retrieve it.
We therefore ask that you resolve this yourself and contact the service provider if you have questions related to data retrieval.
Why is it a problem to sign in to a service with a UiO account in Microsoft 365?
It is not necessarily a problem to use your UiO account in Microsoft 365 as a sign-in method for services. However, using Microsoft 365 as a sign-in method requires control with what permissions are granted, as well as necessary assessments of the services that are to be used. Therefore, what services that are to be used at UiO with Microsoft 365 as the sign in/authentication method should be decided and managed by the IT department, rather than by individual users.
How does UiO know that I am using this service?
The IT department at UiO has an overview of which services are connected to users' UiO accounts in Microsoft 365, for the purpose of managing Microsoft 365 at UiO. This is part of the technical security infrastructure in Microsoft 365 and provides UiO with information about which services have gained access to data through user consent.
Access to this information is limited to a few individuals within UiO's IT department who are responsible for the security and operation of the Microsoft 365 platform.
UiO does not see your content in the service or what you have done in the service, but they can see which services have gained access to your account, what permissions they have received (for example reading emails, contacts, or files), and when consent was given.
I am wondering when and in what situation I used my UiO account to sign in to the service. Can you help me with that?
UiO does not have a detailed record of the exact time or situation when the service was used. What we do know is that you signed in to the service using your UiO account in Microsoft 365. We can only see that the service has been granted access to your account via Microsoft 365, not how or why you signed in.
What are the consequences for me?
For most people, this will not have any immediate consequences. However, if a service has gained access to your UiO account in Microsoft 365 without being assessed and approved, that access will be blocked.
UiO therefore requests that you delete UiO data from the service before the access is blocked.
You will not experience any consequences for using a service in breach of UiOs procedures. You are not alone; many users have signed into services without being aware it constitutes a breach of UiO procedures.
Although it is in breach of UiO procedures to use unapproved services for processing personal data, accidents can happen and it can be difficult to understand when you access a new service. UiO is the data controller for the personal data, and therefore responsible for ensuring that the information is processed in accordance with the General Data Protection Regulation (GDPR). Individual users who have violated UiO's procedures by using unapproved services are not mentioned in the notification to Datatilsynet (The Norwegian Data Protection Authority).
Many users are unaware that they have granted services very broad permissions, often with ongoing access to emails, files, contacts, and more.
Can I get an extended deadline to retrieve the data and delete the account?
No, unfortunately, an extended deadline cannot be granted for retrieving and deleting any UiO data from the service.
Many factors have been taken into account when deciding the deadline. The service may pose an information security and privacy risk as long as it is connected to your UiO account in Microsoft 365. Many of these services have broad access to UiO's data, and a short deadline is therefore necessary to ensure the security of personal data and legal compliance.
If you are unable to retrieve data and delete the account by the deadline, you must request the deletion of the account and its contents by sending a written inquiry to the privacy contact point at the service provider.
Suggestion for wording in the inquiry to the contact point at the service provider:
“I request permanent deletion of my account and all data related to it.”
I have lost access to the account; does that mean it has been deleted?
No, probably not. Losing access typically means that the connection to your UiO account has been removed or disabled, but it does not automatically mean that the account or the data stored in the service has been deleted.
If you try to sign in to the account after the date specified in the email, when UiO will disable the ability to sign in via your UiO account in Microsoft 365, this does not mean that the actual account has been deleted. Deletion must be requested by sending a written inquiry to the service provider.
Suggestion for wording in the inquiry to the contact point at the service provider:
“I request permanent deletion of my account and all data related to it.”
Can UiO decide which services I can use?
In a private context, UiO does not control which services you choose to use.
However, UiO is the data controller for data processed in connection with work and studies at the university—including personal data, research data, emails, and documents. This means that UiO can and must establish guidelines for which services can be used in UiO's operations, to ensure, among other things:
- That data privacy and information security are maintained
- That data is stored and processed in accordance with the law (such as the General Data Protection Regulation (GDPR), confidentiality requirements, and legal obligations concerning information security) and contractual commitments
- That necessary agreements with service providers are in place
What is UiO doing to prevent this from happening again?
UiO has changed the settings in Microsoft 365 so that users can no longer grant new services permission to access their UiO account in Microsoft 365 and associated data, without approval by UiO.
UiO is reviewing existing connections, strengthening control and procedures for assessing new services, and providing better information and guidance to users about secure use of IT services.
Users must take responsibility to only use IT services that are approved by UiO. Services that are not approved for use at UiO should not be used in the context of work and studies for processing UiO data—neither by signing in with a UiO account in Microsoft 365 or by registering in a service using a UiO email address.
We encourage all UiO users to take UiO's introductory course in privacy and IT security.
Can I request approval for a service I want to use in my work?
UiO aims to maintain a comprehensive service catalog that meets users' needs while ensuring that privacy, information security, and other concerns are addressed. Additionally, having multiple services that fulfill the same needs can be unnecessary. Services must be assessed before they are used, and they must be managed and administered while in use. This is resource-intensive.
The IT department therefore accepts requests to use new services if the need is not already covered by the existing service catalog. Such requests require approvement from a manager at UiO.
- You can read more about this process on our contact pages.
What information might the service have access to?
It varies from service to service. When you sign in with Microsoft 365, you must approve which parts of your account the service can access. This may include:
- Name and email address (user profile)
- Calendar
- Emails and contacts
- Files in OneDrive or SharePoint
Sometimes the access is limited, other times it can be extensive. UiO cannot always see exactly which data has been retrieved or used, which is why you are asked to delete UiO data from the service.
Can I get an overview of all the information that a service has collected from my user account?
You will need to contact the service provider directly to request access to and deletion of your data in the service.
You can use this wording for deletion:
“I request permanent deletion of my account and all data related to it.”
What should I do if I think I have granted access to a malicious service?
Contact UiO-CERT immediately if you believe you have granted access to a malicious service. By "malicious", we mean services that are likely to misuse the data they have gained access to. Examples may include:
- Using data to train artificial intelligence
- Using data to send targeted phishing attacks to UiO's user database
- Disclosing or further spreading data
Can I use services that have been approved by other universities or organizations?
No, UiO is responsible for which services we use and UiO does assessments of information secutiry and data privacy requirements independently from other organizations. Only services approved by UiO can be used at UiO and with your UiO account in Microsoft 365.
How can I know if I am affected and which services I have used?
UiO sends emails directly to users who have used services with their UiO account in Microsoft 365. The email will specify which services you have granted access to with your UiO account and what actions you need to take next.
The service I am using is approved by UiO. Why am I receiving an email?
Have you received an email instructing you to delete your account in a service that is approved for use at UiO? This may be due to several reasons.
An error may have occurred on the IT department's side, meaning the account should not be deleted. If that's the case, you need to report this as soon as possible.
It could also be that you chose the wrong sign in method when you first sign into the service. Most services offered at UiO use Weblogin or FEIDE sign in.