Information
By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.
Do not allow users to install add-ins in Word, Excel, or PowerPoint.
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.
While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.
Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk.
Solution
To remediate using the UI:
- Navigate to Microsoft 365 admin center
https://admin.microsoft.com
.
- Click to expand Settings > Org settings
- In Services select User owned apps and services
- Uncheck Let users access the Office Store and Let users start trials on behalf of your organization
- Click Save
To remediate using PowerShell
- Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "OrgSettings-AppsAndServices.ReadWrite.All"
- Run the following Microsoft Graph PowerShell commands:
$uri = "https://graph.microsoft.com/beta/admin/appsAndServices"
$body = @{
"Settings" = @{
"isAppAndServicesTrialEnabled" = $false
"isOfficeStoreEnabled" = $false
}
} | ConvertTo-Json
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body
Impact:
Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.