Application Review Committee (ARC)

University of Toronto staff and faculty can request access to third-party applications that integrate with their U of T Microsoft 365 accounts. When the request is approved by the requester’s divisional IT administrator, it will be subject to review by the University’s Application Review Committee (ARC).

The ARC is comprised of IT stakeholders from across the tri-campus community. The committee meets monthly to evaluate and approve application requests. If an application is approved by ARC, it will be submitted for a risk assessment to Information Security and final review before being implemented.

To maintain a secure integration of third-party applications and add-ins with Microsoft 365 products, we have implemented a comprehensive review process which includes the following steps:

  • Approval by Divisional IT Administrators: Your requested third-party application or add-in will be subject to approval by your divisional IT administrator(s). They will assess its compatibility with our existing systems and evaluate its potential benefits for the division.
  • Evaluation by the Application Review Committee (ARC): Our dedicated Application Review Committee (ARC) will carefully evaluate the suitability of the requested application or add-in.
  • Risk Assessment by Information Security: As part of our commitment to security, our Information Security team will conduct a thorough risk assessment of the proposed application or add-in to identify and mitigate potential security risks.

 

ARC prioritizes applications and add-ins based on the following criteria:

  • User Base: We consider the size of the user base to assess the relevance and popularity of the integration.
  • Business Impact: The potential impact on our business operations will be carefully evaluated.
  • Advancement of University Activities: We are particularly interested in applications that contribute to the advancement of teaching, learning, and research activities within the University.

Considering the volume of requests received, the resolution of each request may require several weeks to months, depending on factors such as priority and resource availability.

We understand the importance of a timely review process. While your request is being processed, we recommend exploring approved third-party alternatives that are secure and cater to various user needs. To explore approved integrations, please visit this webpage.

Rest assured, our aim is to provide you with seamless and secure integrations that enhance your Microsoft 365 experience. If you have any questions or need further assistance, please reach out to your local IT or create a ticket in the Enterprise Service Centre.

Additional information:

Frequently asked questions

App requests and integrations

University of Toronto staff and faculty can submit requests for new application integrations.

Applications that integrate with University Microsoft 365 accounts must go through a formal request and review process. The review process looks at the application, its intended function and whether similar applications have already been approved. It also includes a risk assessment that specifically examines the type of account information the app will have access to once it is installed by a user. The review process is an important part of promoting the sustained efficacy and security of possible third party application solutions.

No. Applications developed by EASI do not currently require an information risk assessment (IRM), but they do require a privacy impact assessment (PIA). These applications have an existing governance process and are outside the scope of the Application Review Committee.

The availability of an approved application depends on its risk status. Two types of apps and add-ins can be implemented as part of the approval process:

    • Low-risk apps: Identified low-risk applications that do not access Microsoft 365 data are available for University-wide use. 
    • Higher risk apps: Applications that are higher risk and integrate with Microsoft 365 data can be enabled for specific user groups after going through a request and approval process. 

If you would like access to a higher risk application, please submit a request through the Enterprise Service Centre. 

Applications with indicated user restrictions can be enabled for specific users/user groups after going through an approval process. For more information, please submit a ticket to the Enterprise Service Centre. 

Depending on the tool, support for approved applications and add-ins will normally be provided by a user’s local IT units or by the product vendor. Before requesting an application, please discuss support with your local IT staff.

University staff and faculty can request that third-party applications and add-ins that connect with their Microsoft 365 accounts be enabled. These requests are subject to a formal review process.

If you are requesting one of the following applications, please purchase a license through the Library. There is no need to submit a request through the Application Review Committee:

  • Microsoft Power BI Pro
  • Microsoft Project
  • Microsoft Visio

Microsoft apps that are part of existing Microsoft licenses such as Power Automate, Power Apps and Sway are granted on a by-request basis. Some Microsoft apps such as Power BI Pro, Project and Visio require that additional licensing be purchased through U of T Libraries: How to Purchase Software. 

University of Toronto staff and faculty can request third-party applications and add-ins from the University’s Microsoft 365 team using this form. These requests are subject to a review process that could include:

  • Approval by the requester’s divisional IT administrators.
  • An evaluation by the Application Review Committee.
  • A risk assessment.