How to prevent installation of and publish Microsoft Office add-ins in Office 365. Office add-ins are a great way of extending the functionality of Office applications such as Outlook, Word, Excel, and even web applications like Outlook Online (OWA).
These add-ins are different to older COM type add-ins, as described here: https://docs.microsoft.com/en-us/outlook/add-ins/
Outlook add-ins are different from COM or VSTO add-ins, which are older integrations specific to Outlook running on Windows. Unlike COM add-ins, Outlook add-ins don’t have any code physically installed on the user’s device or Outlook client. For an Outlook add-in, Outlook reads the manifest and hooks up the specified controls in the UI, and then loads the JavaScript and HTML. The web components all run in the context of a browser in a sandbox.
However you may not want users to be able to install whatever they want, there may be security concerns with add-ins which can potentially read email and documents and send data to the internet. I’d therefore recommend that you limit the ability of users to install any add-ins they want, and just have a list of pre-approved apps available to users that you are happy with.
Add-ins are controlled separately in Outlook vs other Office applications, so we’ll look at how to disable in both locations.
Disable add-ins in Outlook
Disabling Outlook add-ins using Outlook roles
Permission to install Outlook add-ins are separate, and are easily removed by modifying the default role assignment policy to remove the following roles:
- My Marketplace Apps: Enables a user to install and manage Office Store add-ins for their own use.
- My Custom Apps: Enables a user to install and manage custom add-ins for their own use.
- My ReadWriteMailbox Apps: Enables a user to install and manage add-ins that request the ReadWriteMailbox permission level in their manifest.
You can find this in the Exchange admin center > permissions > user roles > Default Role Assignment Policy:
See https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins for more information.
Disable Office add-ins in all applications apart from Outlook
Note that these instructions will vary depending on which portal you are using (old vs new etc) and the portal changes over time.
- Navigate to the Microsoft 365 Portal
- Open Settings > Services & add-ins > User owned apps and services
- Untick the boxes:
- Let users access the Office Store
- Let users install trial apps and services
Publish allowed add-ins so that they are available to users
Using what Microsoft call Centralized Deployment you can make a list of approved add-ins available for users to install, or even install them automatically for users. Note the list of pre-requisites in the link above, basically you need to have Exchange Online and a reasonably up to date version of Office on the desktop. If you are in a hybrid set up, your on-premises users won’t be able to use this feature until they are migrated to Exchange Online.
- In the Admin Portal go to Settings > Services & add-ins click Deploy Add-in:
- Specify who has access, select Everyone, Specific users/groups or Just me. I’d recommend using a group here, especially if you have Directory Sync enabled. Create a mail enabled security group (not distribution group) in your on-premises AD with the name of the app e.g. App-, mail enable it, add some users and let it sync to Azure AD.
- If it is an Outlook add-in you will get additional options whether you want to choose Fixed, Available or Optional deployment depending on the requirement. Available or Optional are probably the best options.
- Now whenever you want users to be able to use the app, you just add them to the group and it will appear.
