2.8 Ensure users installing Outlook add-ins is not allowed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online

By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.


Attackers exploit vulnerable or custom add-ins to access user data. Disabling user-installed add-ins in Microsoft Outlook reduces this threat surface.


Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To prohibit users installing Outlook add-ins:

Navigate to Exchange admin center https://admin.exchange.microsoft.com.

Click on the Classic Exchange admin center at the bottom.

Select permissions.

Select user roles.

Double click Default Role Assignment to open it and UnCheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.

Click Save.

To create a new default Role Assignment Policy using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following command:

$policy = 'Role Assignment Policy - Prevent Add-ins'
$roles = 'MyTextMessaging', 'MyDistributionGroups', '
'MyMailSubscriptions', 'MyBaseOptions', 'MyVoiceMail', '
'MyProfileInformation', 'MyContactInformation', 'MyRetentionPolicies', '

New-RoleAssignmentPolicy -Name $policy -Roles $roles
Set-RoleAssignmentPolicy -id $policy -IsDefault

# Assign new policy to all mailboxes
Get-EXOMailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $policy

If you have other Role Assignment Policies modify the last line to filter out your custom policies

Default Value:

UI - My Custom Apps is Checked, My Marketplace Apps is Checked, and My ReadWriteMailboxApps is Checked

PowerShell - My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are Present

See Also