Questions regarding Outlook Add-in validation with local endpoint

Question

Questions regarding Outlook Add-in validation with local endpoint

rubiks cube 0

Hello,

I’m currently working on an Outlook add-in with a manifest in JSON format that needs to access information available only on the local endpoint. Using a hosted server is not possible in this scenario. I have several technical questions regarding the Microsoft 365 add-in validation process:

1. Local-only architecture

Is it possible to develop and validate an Outlook add-in that relies exclusively on a local server running on the endpoint (localhost)?

2. Use of localhost in the manifest

In the case of a local-only architecture, the add-in manifest references localhost URLs. Is this supported during the validation process?

3. Desktop-only Outlook add-in

Are there any rules or restrictions that would prevent developing an add-in compatible only with the Outlook desktop client?
A web version is unfortunately not feasible in this case, as it would not be able to communicate with a local server running on the endpoint.

4. HTTPS requirement for localhost

Given that the manifest references localhost, there is no strong functional need to use HTTPS in this context. Is HTTPS still a strict requirement for add-in validation, even when all communications are strictly local?

2 answers

Your answer

Answer 1

Hi @rubiks cube

Thank you for reaching out to Microsoft Q&A forum.

Based on the information you provided, I understand that you are developing an Outlook add-in (JSON manifest) that needs to communicate exclusively with a local endpoint running on the user’s machine, and using a hosted external server is not an option. You would like clarification on how this impacts Microsoft 365 add-in validation and Marketplace/AppSource submission.

After researching the topic, here are the relevant findings for each of your questions:

1. Local-only architecture (localhost server)

Yes, it is technically possible to develop and run an Outlook add-in that relies on a local server (localhost), particularly during development, testing, or internal deployment scenarios.

However, for Marketplace/AppSource validation, this architecture is generally not supported. Certification policies require add-ins to function reliably across supported Outlook platforms (web, desktop, and mobile where applicable). A purely local architecture cannot function in Outlook on the web or mobile environments, because those environments are sandboxed and cannot access the client machine’s localhost. Additionally, the validation process applies stricter review rules than development tooling. Add-ins submitted to the Store must host their web assets on a server that is accessible over the network (public internet or approved internal infrastructure). Resources restricted to localhost-only environments are not acceptable for public certification.

2. Use of localhost in the manifest

Using localhost URLs in the manifest is supported during local development and testing. For example, basic validation steps such as npm run validate (from the Yeoman generator) may not block localhost references because those tools are designed to support development scenarios.

However, during full Marketplace/AppSource validation, localhost references are typically rejected. The certification reviewers cannot access localhost endpoints on a developer’s machine, which causes validation failures. Therefore, while localhost is acceptable for development, it is not suitable for production submission.

3. Desktop-only Outlook add-in

Microsoft’s validation policies generally require that an add-in works across all Outlook platforms that support the APIs it uses. If an add-in cannot support certain platforms (such as Outlook on the web), this must be clearly defined in the manifest and communicated to users.

That said, building an add-in intended specifically for the Outlook desktop client is technically valid. Desktop-only scenarios are acceptable within policy boundaries, particularly when architectural limitations (such as required communication with a local endpoint) make web support infeasible.

4. HTTPS requirement (even for localhost)

HTTPS is a mandatory requirement for add-ins during both runtime and certification, even if all communications occur locally. Microsoft’s certification policies require HTTPS (TLS 1.2 or higher) for all add-in resources and APIs, without exception, even for localhost scenarios. During development, you can use a self-signed certificate to enable HTTPS locally and avoid mixed content or security warnings. For Marketplace submission, HTTPS is strictly enforced as part of the security validation checks.

You may refer the following documents:

Office Add-ins manifest

Validate an Office Add-in's manifest

I hope this information helps clarify the validation requirements.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Michelle-N 13,175 Reputation points Microsoft External Staff Moderator

2026-02-12T09:11:02.6333333+00:00

Hello @rubiks cube

Have you checked the provided answer?

Any update would be great.
rubiks cube 0 Reputation points

2026-02-16T13:56:45.5666667+00:00

Hi @Michelle-n,

Thank you for your detailed response.

To make sure I correctly understand the certification implications:

If an Outlook add-in depends on a localhost service and references localhost URLs in its manifest, does this automatically make it ineligible for Marketplace/AppSource certification. Even if the add-in is explicitly restricted to Outlook Desktop only?

I am not questioning the technical feasibility. I just need confirmation on whether this architecture can or cannot be certified for Marketplace.

Additionally, you mentioned that such architectures are possible in “internal deployment scenarios”. Could you clarify what that means in contrast to Marketplace certification?

Thank you for your clarification.
Michelle-N 13,175 Reputation points Microsoft External Staff Moderator

2026-02-25T09:27:09.9866667+00:00

Hi @rubiks cube

Thank you for your patience and for the updates.

If an Outlook add-in depends on a service running on localhost and references localhost URLs in its manifest, it will not be eligible for certification and publication in the Microsoft Marketplace/AppSource. The certification process requires cross-platform compatibility, and the Marketplace is unlikely to accept a “desktop-only” exception for an architecture that is not platform-compatible.

That said, this type of architecture can still be feasible in internal deployment scenarios. For example, you can deploy the add-in within a single tenant or sideload the manifest directly. In these cases, the IT department can control the user environment, local service installation, HTTPS certificates, and endpoint configuration without requiring Marketplace certification.

However, any architecture that relies on localhost endpoints will be excluded from Marketplace approval.

I hope the information I found helps clarify your scenario. Let me know if you need further details.
rubiks cube 0 Reputation points

2026-02-25T10:56:37.7366667+00:00

Hi @Michelle-N ,

Thank you for your detailed explanation, that clarifies the Marketplace constraints.

However, I would like to confirm one point: is it possible to use sideloading as a deployment method in a production environment?

Most of the documentation I’ve found about sideloading seems focused on testing scenarios. If there is any specific documentation that covers sideloading in production contexts, I would greatly appreciate it.

Thank you again for your help.
Michelle-N 13,175 Reputation points Microsoft External Staff Moderator

2026-02-25T12:13:46.7266667+00:00

Hi @rubiks cube

Thank you for your updates. After doing some research, it appears that sideloading can be used in environments with real users, but it is not considered an official production (GA) deployment model and is not recommended for large-scale or long-term production deployments.

In Microsoft Learn documentation, Upload custom app (sideloading) is described as being intended for scenarios such as testing and debugging applications, apps for personal use, and apps for a small group of users.

Regarding sideloading for production, I have not been able to find any official Microsoft documentation that explicitly addresses this scenario. If there is any official guidance released in the future, I will let you know. Thank you for your understanding.
Michelle-N 13,175 Reputation points Microsoft External Staff Moderator

2026-02-26T13:10:10.9766667+00:00

Hi @rubiks cube

Do you have any other questions? If there’s anything else, please let me know.

Answer 2

Local-only architecture: Developing and validating an Outlook add-in that relies exclusively on a local server running on the endpoint (localhost) is possible during the development phase. However, for the add-in to be published and validated through Microsoft Marketplace, it typically needs to conform to certain standards, including accessibility from various platforms.
Use of localhost in the manifest: While using localhost URLs in the manifest may work during development, it is generally not supported for validation and publishing. The add-in must be accessible over the web, which usually means using a hosted server.
Desktop-only Outlook add-in: There are no specific rules that outright prevent the development of an add-in compatible only with the Outlook desktop client. However, keep in mind that the add-in must still meet validation requirements if you intend to publish it.
HTTPS requirement for localhost: Even if the add-in communicates strictly with a local server, using HTTPS is strongly recommended and often required for validation. This is to ensure secure data transmission and to avoid unsecure content warnings during use. Therefore, it is advisable to implement HTTPS even in a local context.

References:

Share via

Questions regarding Outlook Add-in validation with local endpoint

2 answers

Your answer