Preventing users from installing Office add-ins

Office logo

How to prevent installation of and publish Microsoft Office add-ins in Office 365. Office add-ins are a great way of extending the functionality of Office applications such as Outlook, Word, Excel, and even web applications like Outlook Online (OWA).

These add-ins are different to older COM type add-ins, as described here: https://docs.microsoft.com/en-us/outlook/add-ins/

Outlook add-ins are different from COM or VSTO add-ins, which are older integrations specific to Outlook running on Windows. Unlike COM add-ins, Outlook add-ins don’t have any code physically installed on the user’s device or Outlook client. For an Outlook add-in, Outlook reads the manifest and hooks up the specified controls in the UI, and then loads the JavaScript and HTML. The web components all run in the context of a browser in a sandbox.

However you may not want users to be able to install whatever they want, there may be security concerns with add-ins which can potentially read email and documents and send data to the internet. I’d therefore recommend that you limit the ability of users to install any add-ins they want, and just have a list of pre-approved apps available to users that you are happy with.

Add-ins are controlled separately in Outlook vs other Office applications, so we’ll look at how to disable in both locations.

Disable add-ins in Outlook

Disabling Outlook add-ins using Outlook roles

Permission to install Outlook add-ins are separate, and are easily removed by modifying the default role assignment policy to remove the following roles:

  • My Marketplace Apps: Enables a user to install and manage Office Store add-ins for their own use.
  • My Custom Apps: Enables a user to install and manage custom add-ins for their own use.
  • My ReadWriteMailbox Apps: Enables a user to install and manage add-ins that request the ReadWriteMailbox permission level in their manifest.

You can find this in the Exchange admin center > permissions > user roles > Default Role Assignment Policy:

See https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins for more information.

Disable Office add-ins in all applications apart from Outlook

Note that these instructions will vary depending on which portal you are using (old vs new etc) and the portal changes over time.

  • Navigate to the Microsoft 365 Portal
  • Open Settings > Services & add-ins > User owned apps and services
  • Untick the boxes:
    • Let users access the Office Store
    • Let users install trial apps and services

Publish allowed add-ins so that they are available to users

Using what Microsoft call Centralized Deployment you can make a list of approved add-ins available for users to install, or even install them automatically for users. Note the list of pre-requisites in the link above, basically you need to have Exchange Online and a reasonably up to date version of Office on the desktop. If you are in a hybrid set up, your on-premises users won’t be able to use this feature until they are migrated to Exchange Online.

  • In the Admin Portal go to Settings > Services & add-ins click Deploy Add-in:
  • Specify who has access, select Everyone, Specific users/groups or Just me. I’d recommend using a group here, especially if you have Directory Sync enabled. Create a mail enabled security group (not distribution group) in your on-premises AD with the name of the app e.g. App-, mail enable it, add some users and let it sync to Azure AD.
  • If it is an Outlook add-in you will get additional options whether you want to choose Fixed, Available or Optional deployment depending on the requirement. Available or Optional are probably the best options.
  • Now whenever you want users to be able to use the app, you just add them to the group and it will appear.
Posted in Office, Office 365, Office 365 ProPlus

Related Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: