Ensure users installing Outlook add-ins is not allowed
Description
Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application. Rationale: Attackers exploit vulnerable or custom add-ins to access user data. Disabling user installed add-ins in Microsoft Outlook reduces this threat surface.
How to fix
- Navigate to Exchange Admin Center
- Click to expand Roles and select User roles in the navigation pane.
- Select Default Role Assignment Policy.
- In the properties pane on the right click on Manage permissions.
- Under Other roles uncheck the following:
- My Custom Apps
- My Marketplace Apps
- My ReadWriteMailboxApps
- Click Save changes.