Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online
You can specify which administrators in your organization have permissions to install and manage add-ins for Outlook. You can also specify which users in your organization have permissions to install and manage add-ins for their own use.
This configuration is done by assigning or removing management roles specific to add-ins. There are five built-in roles you can use.
Administrative roles
- Org Marketplace Apps: Enables an administrator to install and manage add-ins that are available from the Office Store for their organization.
- Org Custom Apps: Enables an administrator to install and manage custom add-ins for their organization.
By default, all administrators who are in the Organization Management role group have both these administrative roles enabled.
Note
For a list of admins who can install apps from the Integrated Apps page, see Who can access Integrated Apps.
User roles
- My Marketplace Apps: Enables a user to install and manage Office Store add-ins for their own use.
- My Custom Apps: Enables a user to install and manage custom add-ins for their own use.
- My ReadWriteMailbox Apps: Enables a user to install and manage add-ins that request the
ReadWriteMailbox
permission level in their manifest.
By default, all end users have all of these user roles enabled.
Note
If you're testing Outlook add-ins and none are showing up, then as a first troubleshooting step, use the Get-OrganizationConfig
PowerShell cmdlet to query the AppsForOfficeEnabled parameter. If the query returns a value of False, set this parameter to True using the Set-OrganizationConfig
cmdlet; then the add-ins should appear as expected.
We don't recommend that the AppsForOfficeEnabled parameter be set to False. A value of False overrides all the Administrative and User role settings and prevent any new apps from being activated by any user in the organization.
For information about add-ins, see Add-ins for Outlook.
What do you need to know before you begin?
Estimated time to complete: 5 minutes.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this article, you may not have access to some parameters if they're not included in the permissions assigned to you. For information on the permissions you need, see the "Role assignments" entry in the Feature permissions in Exchange Online article.
Access to the Office Store isn't supported for mailboxes or organizations in specific regions. If you don't see Add from the Office Store as an option in the Exchange admin center (EAC) under Organization > Add-ins > New , you may be able to install an add-in for Outlook from a URL or file location. For more information, contact your service provider.
Note
URLs with redirections aren't supported in Exchange Server 2016, Exchange Server 2019, and Exchange Online. Use a direct URL to the manifest.
For information about keyboard shortcuts that may apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center.
Assign administrators the permissions required to install and manage add-ins for your organization
Use the EAC to assign permissions to administrators
You can use the EAC to assign administrators the permissions required to install and manage add-ins that are available from the Office Store for your organization.
Sign in to EAC with an account that's assigned the Role Management role. This role is assigned to the Organization Management role group by default.
Go to Roles > Admin Roles.
Select an existing group or create a new one.
If you're modifying an existing role, go to the existing role's details page and select the Permissions tab, add the permissions required to install and manage add-ins, and then select Save. If you are creating a new group, follow the wizard.
For detailed information about how to do this, see Manage role groups in Exchange Online.
Assign users the permissions required to install and manage add-ins for their own use
Use the EAC to assign permissions to users
You can use the EAC to assign users the permissions required to view and modify custom add-ins for their own use.
Sign in to EAC with an account that's assigned the Role Management role. This role is assigned to the Organization Management role group by default.
Go to Roles > User Roles.
Select an existing role assignment policy or create a new one.
Select New role assignment policy and update the following sections: - Set up the basics: Type a name for the policy if you are creating a new one. - Add permissions
- Contact information
- Profile information
- Distribution groups
- Distribution group memberships
- Other roles (Select some or all of the roles: My Custom Apps, My MarketPlace Apps, and My ReadWriteMailbox Apps.)
Select Next. The Review role assignment policy and finish page appears.
Select Create.
Note
Select Create only if you are okay with the configured settings that are displayed on the Review role assignment policy and finish page. After reviewing the settings, if you want to edit the settings, select Back to navigate to the settings page, make the edits, select Next, and then select Create on the Review role assignment policy and finish page.
The Status page appears, displaying a notification message that the role assignment policy has been successfully created.
Select Done.
For detailed information about how to do manage role groups, see Manage role groups in Exchange Online.
Prevent add-in downloads by turning off the Office Store across Outlook
The following steps ensure that all end users with the default policy will no longer be able to install or manage Add-ins for Outlook.
Sign in to the EAC with an account that's assigned the Role Management role. This role is assigned to the Organization Management role group by default.
Go to Roles > User Roles.
Double-click Default Role with Add-Ins Management to open the Edit window.
Select Manage permissions under Permissions. The Default Role Assignment Policy page appears.
Modify Default Role Assignment Policy by deselecting My Custom Apps, My MarketPlace Apps, and My ReadWriteMailbox Apps under Other roles.
Select Save changes.
Note
If a user is assigned a single admin role (for example, Security Reader), removing the user roles My Custom Apps, My MarketPlace Apps, and My ReadWriteMailbox Apps won't prevent add-in downloads for the user. Our recommenddation is to have separate accounts for admin privileges and end-user day-to-day use.
How do you know this worked?
To verify that you've successfully assigned permissions for a user, replace <Role Name> with the name of the role to verify, and run the following command in Exchange Online PowerShell:
Get-ManagementRoleAssignment -Role "<Role Name>" -GetEffectiveUsers
The following example shows you how to verify whom you've assigned permissions to install add-ins from the Office Store for the organization:
Get-ManagementRoleAssignment -Role "Org Marketplace Apps" -GetEffectiveUsers
In the results, review the entries in the Effective Users column.
For detailed syntax and parameter information, see Get-ManagementRoleAssignment.