Just a quick question for the community. The way we have Office 365 integrated with Canvas, once a user has connected up Office 365 account to their Canvas account (via the Collaboration link inside a course for example), there then is in place a sustained trust relationship in place so that they don't need to re-authenticate in future Canvas sessions. I guess that is pretty standard operation. Our login method to Canvas is vie a Microsoft ADFS login page (the same as we have to login to Office365 etc.)
The thing that we've found is that if one of the admin team become/masquerade another user who has gone through this process, we are able to access and view that users Office365/OneDrive area. We were a bit startled by this, and although we are a small admin team we are concerned that we could be exposing ourselves to future issues whereby blame may be attributed to us.
We were wondering if other Canvas clients had found this and if so were they concerned enough to put in place some policy around it?
Anecdotally, as a past user of Desire2Learn's Brightspace, in that system although we could impersonate other users, as soon as we went outside of Canvas, those integrated systems would know who we actually were and would not show us the impersonated users files.