Manage deployment of Office 365 add-ins in the Office 365 admin center
Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in). As an Office 365 admin, you can deploy Office add-ins for the users in your organization. You can do this using the Centralized Deployment feature in the Office 365 admin center.
Centralized Deployment is the recommended and most feature-rich way for most admins to deploy add-ins to users and groups within an organization. For more information on how to determine if your organization can support Centralized Deployment, see Determine if Centralized Deployment of add-ins works for your Office 365 organization.
Centralized Deployment provides the following benefits:
A Global admin can assign an add-in directly to a user, to multiple users via a group, or to everyone in the tenant.
When the relevant Office application starts, the add-in automatically downloads for the user. If the add-in supports add-in commands, the add-in automatically appears in the Ribbon within the Office application.
Add-ins will no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.
For Word, Excel and PowerPoint use a SharePoint App Catalog to deploy add-ins to users in an on-premises environment with no connection to Office 365 and/or support for SharePoint add-ins required. > For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Office 365. >
Recommended approach for deploying Office add-ins
Consider rolling out add-ins in a phased approach to help ensure your add-in deployment goes smoothly. We recommend the following plan:
Roll-out the add-in to a small set of business stakeholders and members of the IT department. Evaluate if the deployment was successful, and if so, move on to step 2.
Roll-out to a larger set of individuals within the business who will be using the add-in. Again, evaluate results and, if all went well, go to the next step of a full deployment.
Full rollout to target audience of users.
Depending on the size of the target audience, you may want to add or remove roll-out steps.
Deploy an Office add-in using the Office 365 admin center
Before you begin, see Determine if Centralized Deployment of add-ins works for your Office 365 organization.
For Single Sign-In add-ins the users and groups assigned will also be shared with add-ins that share the same Azure App ID. Any changes to user assignments will also apply to those add-ins. The related add-ins will be shown on this page.
When the Global admin clicks Save, consent is written for all users in the tenant, not just those that the add-in has been assigned to.
Where to sign in to Office 365 for business with your work or school account.
Select the app launcher icon in the upper-left, and choose Admin.
TIP: Admin appears only to Office 365 admins.
In the navigation menu, choose Settings > Services & add-ins.
If you see a message on the top of the page announcing the new Office 365 admin center, click the message to go to the Admin Center Preview (see About the Office 365 admin center).
Choose Upload Add-in at the top of the page.
Choose from one of the following options on the Centralized Deployment page:
I want to add an Add-in from the Office Store
I have the manifest file (.xml) on this device: For this option, select Browse to locate the manifest file (.xml) that you want to use.
I have a URL for the manifest file: For this option, type the URL in the field provided.
If you selected the option to add an add-in from the Office Store, you can now make your add-in selection in Select an Add-in. Notice that you can view available add-ins via categories of Suggested for you, Rating, or Name. Only free add-ins are available to add from the Office Store. Paid add-ins aren't supported currently.
NOTE: With the Office Store option, updates and enhancements to the add-in will automatically be made available to users without your intervention.
The add-in is now enabled. On the page for the add-in, its status is On, like that shown for the Power BI Tiles add-in in the screenshot below. In Who has access, select Edit to specify who the add-in is deployed to.
By default, the add-in can't be deployed to anyone until you identify people or groups.
Learn about the other states that apply to an add-in. See Add-in states later in this topic.
On the Edit who has access page, select either Everyone or Specific Users/Groups. Use the Search box to find the users or groups who you want to deploy the add-in to.
For Single Sign-In add-ins only:
This page will display the list of Graph scopes that the add-in requires in order to function.
- When finished, choose Save, review the add-in settings, and then select Close.
You now see your add-in along with other apps in Office 365.
It's a good idea to inform the users and groups who you deployed the add-in to so that they know that it's available. Consider sending an email to them that describes when and how to use the add-in and explains how the add-in can help them do their job better. Include or link to relevant Help content or FAQs that might help if users have any problems with the add-in.
Considerations when assigning an add-in to users and groups
Admins can assign an add-in to everyone or to specific users and groups. Each option has implications:
Everyone: As the name implies, this option assigns the add-in to every user in the tenant. Use this option sparingly and only for add-ins that are truly universal to your organization.
Users: If you assign an add-in to an individual user, then to deploy the add-in to a new user, you will need to first add that user. The same goes for removing users.
Groups: If you assign an add-in to a group, users who are added to the group will automatically be assigned the add-in. And, when a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from you as the admin.
The option that is right for your organization depends on your configuration. However, we recommend making assignments via groups. As an admin, you might find it easier to manage add-ins using groups and control the membership of those groups rather than having to change the users assigned each time. On the other hand, in some situations, you may want to restrict access to a very small set of users and therefore make assignments to specific users. As a result, you will need to manage the assigned users manually.
The following table describes the states that apply to an add-in.
|State||How the state occurs||Impact|
||Admin uploaded the add-in and assigned it to users or groups.
||Users and groups assigned to the add-in see it in the relevant clients.
||Admin turned off the add-in.
||Users and groups assigned to the add-in no longer have access to it.
If the add-in state is changed to Active, the users and groups will have access to it again.
||Admin deleted the add-in.
||Users and groups assigned the add-in no longer have access to it.
Consider deleting an add-in if no one is using it any more. Turning off an add-in may make sense if an add-in is used only during specific times of the year.
Security of Office add-ins
Office add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application which contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can:
Read a user's document to provide contextual services.
Read and write data to and from a user's document to provide value to that user.
For more information about the types and capabilities of Office add-ins, see Office Add-ins platform overview, especially the section "Anatomy of an Office Add-in."
When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in do not change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications.
Updates for add-ins happen as follows:
Line-of-business add-in: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
Office Store add-in: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
Prevent add-in downloads by turning off the Office Store across all clients
As an organization you may wish to prevent the download of new Office add-ins from the Office Store. This can be used in conjunction with Centralized Deployment to ensure that only organization-approved add-ins are deployed to users within your organization.
To turn off add-in acquisition:
Go to the Office 365 admin center.
Click Settings > Services & add-ins.
Click Office Store.
Click the toggle next to Let people in your organization go to the Office Store so that it's in the Off position.
This will prevent all users from acquiring the following add-ins from the store.
Add-ins for Word, Excel, and PowerPoint 2016 from:
Acquisitions starting within AppSource
Add-ins within Office 365
A user who tries to access the store will see the following message: Sorry, Office 365 has been configured to prevent individual acquisition of Office Store add-ins.
Support for turning off the Office Store is available in the following versions:
Windows: 16.0.9001 - Currently available in monthly channel. Available in semi-annual release in July 2018.
Mac: 16.10.18011401 - Currently available.
iOS: 2.9.18010804 - Currently available.
Office Online - Currently available.
This does not prevent an administrator from using Centralized Deployment to assign an add-in from the Office Store.
To prevent a user from signing in with a Microsoft account, you can restrict logon to use only the organizational account. For more information, look here.
Outlook add-in installation is managed by a different process.
Minors and acquiring add-ins from the Store
The General Data Protection Regulation (GDPR) is a European Union regulation that becomes effective May 25, 2018. It gives users rights to and protection of their data. One of the aspects of the GDPR is that minors cannot have their personal data sent to parties that their parent or guardian hasn't approved. The specific age defined as a minor depends on the region where the individual is located.
Regions that have statutory regulations about parental consent include the United States, South Korea, the United Kingdom, and the European Union. For those regions, a minor will be blocked (via Azure Active Directory) from getting any new Office add-ins from the Store and running add-ins that were previously acquired. For countries without statutory regulations, there will be no download restrictions.
A user is determined to be a minor based on data specified in Azure Active Directory. The tenant admin is responsible for declaring the legal age group and the parental consent for that user.
If the parent/guardian consents to a minor using a specific add-In, then the tenant admin can use centralized deployment to deploy that add-In to all minors who have consent.
To be GDPR compliant for minors you need to ensure that one of following builds of Office is deployed in your school/organization.
For Word, Excel, PowerPoint, and Project:
|Office 2016 ProPlus Monthly for Windows
|Office 2016 ProPlus Semi-Annual
|Office 2016 for Windows
|Office 2013 for Windows
|Office 2016 for Mac
|Office 2016 for iOS
|Outlook 2016 for Windows (MSI)
||Build No TBD
|Outlook 2016 for Windows (C2R)
|Office 2016 for Mac
|Outlook mobile for iOS
|Outlook mobile for Android
Office 2013 requirements
Word, Excel, and PowerPoint 2013 for Windows will support the same minor checks if Active Directory Authentication Library (ADAL) is enabled. There are two options for compliance, as explained next.
Enable ADAL. This article explains how to enable ADAL for Office 2013: Using Office 365 modern authentication with Office clients.
You also need to set the registry keys to enable ADAL as explained in Enable Modern Authentication for Office 2013 on Windows devices.
Additionally, you need to install the following April updates for Office 2013:
Don't enable ADAL. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the office clients. Information on how to turn off the app for Office settings is located here.
End user experience with add-ins
Now that you've deployed the add-in, your end users can start using it in their Office applications (see Start using your Office Add-in). The add-in will appear on all platforms that the add-in supports.
If the add-in supports add-in commands, the commands appear on the Office ribbon. In the following example, the command Search Citation appears for the Citations add-in.
If the deployed add-in doesn't support add-in commands or if you want to view all deployed add-ins, you can view them via My Add-ins.
In Word 2016, Excel 2016, or PowerPoint 2016
Choose Insert > My Add-ins.
Select the Admin Managed tab in the Office Add-ins window.
Double-click the add-in you deployed earlier (in this example, Citations ).
On the Home ribbon, choose Store.
Choose My add-ins in the left nav.
Look for an add-in that has a status set to Installed by your administrator.
Learn more about creating and building Office Add-ins.