SOLVED: How To Block Users From Installing Add-Ins In Outlook & OWA on Office 365 Hosted Exchange

If you are using Office 365 Hosted Exchange in your company, you will likely want to control what add-ins your users have access to.  Typically, an administrator will want to add an ADD-IN into  SERVICES & ADD-INS (causing the add-in to install nearly instantly in OWA and Outlook) but also ensure that standard users can not install any other add-ins by themselves.

Unfortunately it is not as simple as you might think.

The Way You Think You Would Block Outlook Add-Ins

O365 Admin Settings Services and Add-ins 2It appears from the O365 Administrator Console that you can simply:

  1. Click SETTINGS
  2. SERVICES & ADD-INS
  3. USER OWNED APPS AND SERVICES
  4. uncheck LET USERS ACCESS THE OFFICE STORE
  5. uncheck LET USERS INSTALL TRIAL APPS AND SERVICES
  6. SAVE CHANGES

What those settings do is block access to a website the contains Outlook Add-Ins.  It does NOT disable the GET ADD-INS button in Outlook OR block access to GET ADD-INS in OWA Outlook WebApp.

The Way To Actually Block Outlook Add-Ins

After working with Ajij from Microsoft support for three weeks a solution was found.

To disable GET ADD-INS in Outlook Web App (OWA):

  1. Login to https://portal.azure.com
  2. Click AZURE ACTIVE DIRECTORY
  3. Click USER SETTINGS
  4. Set APP REGISTRATION to NO

The tool tip says:

If this option is set to yes, then non-admin users may register custom-developed applications for use within this directory.
If this option is set to no, then only users with an administrator role may register these types of applications.

Azure App Registrations - Block Apps in OWA Outlook Web 2

We have confirmed that with APP REGISTRATION set to NO that both the old (current) and new Outlook Web App will still show the GET ADD-INS options but the actual installs will be blocked.  Users will see a message that reads:

Access is denied. Please contact your administrator.

It also appears to disable the GET ADD-INS button in Outlook:

disable GET ADD-INS button in Outlook

We say “appears” because we as use a GPO to push a registry entry that hides the GET ADD-INS button completely:

  1. USER CONFIGURATION
  2. PREFERENCES
  3. WINDOWS SETTINGS
  4. In REGISTRY, right click and select NEW
  5. set ACTION to UPDATE
  6. HIVE TO HKCU
  7. KEY PATH to Software\Microsoft\Office\16.0\Outlook\Options\Webex
  8. VALUE NAME to StoreButtonInRibbonHomeTabAllowed
  9. VALUE TYPE to REG_DWORD
  10. VALUE DATA to 0 (that is a zero)

disable GET ADD-INS button in Outlook Desktop Client

Leave a Reply