If you are using Office 365 Hosted Exchange in your company, you will likely want to control what add-ins your users have access to. Typically, an administrator will want to add an ADD-IN into SERVICES & ADD-INS (causing the add-in to install nearly instantly in OWA and Outlook) but also ensure that standard users can not install any other add-ins by themselves.
Unfortunately it is not as simple as you might think.
- Click SETTINGS
- SERVICES & ADD-INS
- USER OWNED APPS AND SERVICES
- uncheck LET USERS ACCESS THE OFFICE STORE
- uncheck LET USERS INSTALL TRIAL APPS AND SERVICES
- SAVE CHANGES
What those settings do is block access to a website the contains Outlook Add-Ins. It does NOT disable the GET ADD-INS button in Outlook OR block access to GET ADD-INS in OWA Outlook WebApp.
After working with Ajij from Microsoft support for three weeks a solution was found.
To disable GET ADD-INS in Outlook Web App (OWA):
- Login to https://portal.azure.com
- Click AZURE ACTIVE DIRECTORY
- Click USER SETTINGS
- Set APP REGISTRATION to NO
The tool tip says:
If this option is set to yes, then non-admin users may register custom-developed applications for use within this directory.
If this option is set to no, then only users with an administrator role may register these types of applications.
We have confirmed that with APP REGISTRATION set to NO that both the old (current) and new Outlook Web App will still show the GET ADD-INS options but the actual installs will be blocked. Users will see a message that reads:
Access is denied. Please contact your administrator.
It also appears to disable the GET ADD-INS button in Outlook:
We say “appears” because we as use a GPO to push a registry entry that hides the GET ADD-INS button completely:
- USER CONFIGURATION
- WINDOWS SETTINGS
- In REGISTRY, right click and select NEW
- set ACTION to UPDATE
- HIVE TO HKCU
- KEY PATH to
- VALUE NAME to
- VALUE TYPE to REG_DWORD
- VALUE DATA to 0 (that is a zero)