If you are using Office 365 Hosted Exchange in your company, you will likely want to control what add-ins your users have access to.  Typically, an administrator will want to add an ADD-IN into  SERVICES & ADD-INS (causing the add-in to install nearly instantly in OWA and Outlook) but also ensure that standard users can not install any other add-ins by themselves.

Unfortunately it is not as simple as you might think.

The Way You Think You Would Block Outlook Add-Ins

O365 Admin Settings Services and Add-ins 2It appears from the O365 Administrator Console that you can simply:

  1. Click SETTINGS
  2. SERVICES & ADD-INS
  3. USER OWNED APPS AND SERVICES
  4. uncheck LET USERS ACCESS THE OFFICE STORE
  5. uncheck LET USERS INSTALL TRIAL APPS AND SERVICES
  6. SAVE CHANGES

What those settings do is block access to a website the contains Outlook Add-Ins.  It does NOT disable the GET ADD-INS button in Outlook OR block access to GET ADD-INS in OWA Outlook WebApp.

The Way To Actually Block Outlook Add-Ins

After working with Ajij from Microsoft support for three weeks a solution was found.

To disable GET ADD-INS in Outlook Web App (OWA):

  1. Login to https://portal.azure.com
  2. Click AZURE ACTIVE DIRECTORY
  3. Click USER SETTINGS
  4. Set APP REGISTRATION to NO

The tool tip says:

If this option is set to yes, then non-admin users may register custom-developed applications for use within this directory.
If this option is set to no, then only users with an administrator role may register these types of applications.

Azure App Registrations - Block Apps in OWA Outlook Web 2

We have confirmed that with APP REGISTRATION set to NO that both the old (current) and new Outlook Web App will still show the GET ADD-INS options but the actual installs will be blocked.  Users will see a message that reads:

Access is denied. Please contact your administrator.

It also appears to disable the GET ADD-INS button in Outlook:

disable GET ADD-INS button in Outlook

We say “appears” because we as use a GPO to push a registry entry that hides the GET ADD-INS button completely:

  1. USER CONFIGURATION
  2. PREFERENCES
  3. WINDOWS SETTINGS
  4. In REGISTRY, right click and select NEW
  5. set ACTION to UPDATE
  6. HIVE TO HKCU
  7. KEY PATH to Software\Microsoft\Office\16.0\Outlook\Options\Webex
  8. VALUE NAME to StoreButtonInRibbonHomeTabAllowed
  9. VALUE TYPE to REG_DWORD
  10. VALUE DATA to 0 (that is a zero)

disable GET ADD-INS button in Outlook Desktop Client


5 Comments

Peter Holdridge · May 18, 2022 at 11:53 am

Users are still able to sign up for a 3rd party service that doesn’t require Azure AD login to work (i.e. Jira). Data can be sent from email to this Add-In’s service and there is no way to control it from M365. They have to remove the “get-addins” option in OWA or this will not be completely solved.

AlexN · November 10, 2020 at 9:29 am

Well, I have your exact issue, Ian, but the App registration is ticked to yes… I have been working on this for far too long wiht Microsoft and no end in sight

Joel Bwana · October 7, 2020 at 3:32 pm

With Get Add-in dissabled,the App registration set to NO, users can still install Outlook add-ins by going to File>Manage Add-ins. This is such a frustrating design by Microsoft.

Reinesis · July 29, 2020 at 6:38 am

Hi folks!
I’d like to clarify a tiny detail: while unchecking “Access Office Store” and “Install Trial Apps and Services” doesn’t hide “Get Add-ins” button, how would it look if the user clicked it anyway?

I have a customer who has “Add a custom add-in” link missing from “Get Add-ins” menu and I have no access to their O365 console (obvs). I’d simply like to reconfirm that this is exactly what they’re experiencing and send them to their Office admins for further discussion. I sort of guess that the case might exactly be this.

Thanks!

Homepage · December 1, 2019 at 3:10 pm

… [Trackback]

[…] Read More here: urtech.ca/2019/08/solved-how-to-block-users-from-installing-add-ins-in-outlook-owa-on-office-365-hosted-exchange/ […]

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *