Recently at a customer they were rolling out Office 2016 ProPlus to their early adopters. This was a significant change for the business and somewhat an experimental process. Their Information Security team had a problem with the Add-ins function within the Office applications and requested that we find a way to block Office from accessing the Office Store.
The Office store isn’t curated by Microsoft solely, so their concerns were valid and what potential risks to information could a unsolicited add-in cause.
To block the office store is harder than I first thought. There are blog posts out there that cover blocking, but they are single use cases, not a complete block as I found. So this post will cover all 4 steps you need to take to successfully block the office store.
Step 1 – Remove Office Store link from the App Launcher
In the Office 365 Portal, expand the Settings menu and click on Services and Add-ins
Next, scroll down to find the Office Store Service
Change the default value from On to Off and press save
This now removes the Store from the App Launcher
Step 2 – Block Office 2016 ProPlus from Accessing the Office Store
You can do this by using the Office Customisation Tool (OCT) when creating your deployment package, or by using the Office 2016 ADMX Group Policy template. This is well documented here: https://technet.microsoft.com/en-us/library/cc178992.aspx
Implementing this will stop the Office package from browsing the Office Store.
Step 3 – Blocking Access to the Store from Office Online
This one is something that I spent quite a bit of time on. Even with the above steps completed, if users go to Word, Excel, PowerPoint Online they are able to still browse the Office Store and add add-ins even with these settings applied. I couldn’t find a way to block this initially within the tenant, I even checked Azure AD Applications for Office Store and there was nothing in there that suggested this could be turned off. However, i found that there is a setting in Office 365 that will prevent this.
As you would logically think (sarc), this setting is located in SharePoint Admin Portal, so open this then click on Apps, and then Configure Store Settings
Then Select No to Should Apps for Office from the store be able to start when documents are opened in the browser, and press save
Now when Word, Excel, PowerPoint Online open and you try and browse the Office Store you get this
Step 4 – Block Access to https://store.office.com
So Even with these settings applied, users can still go to store.office.com browse the store, sign in and add an add-in to Office 2016 and Office Online… sigh. So you need to add this URL to your web blocking solution. But there is more, what if you have remote working and users are not connected to corpnet? The only dirty way I have found to prevent this is to edit the HOSTS file on the machine that sends requests to store.office.com to an IP address of 0.0.0.0 or the IP of a web page that tells them access is blocked.