🚀 Overview: Managing Office Add-ins in Hybrid Account Environments

In modern enterprise mobility scenarios, IT Administrators often face challenges when users access corporate data on personal iOS devices. A specific security and compliance gap occurs when users toggle between personal Microsoft Accounts (MSA) and corporate Work or School accounts within the Office mobile apps (Word, Excel, and PowerPoint). Even if an organization has officially disabled the Office Store, users may still be able to run add-ins that were previously installed while signed into their personal accounts.

This behavior typically manifests when a user creates a document using their personal account, installs an add-in, and then saves that document to a corporate location like OneDrive for Business. When the document is reopened under the corporate identity, the embedded add-in remains functional, potentially bypassing organizational security policies. This guide outlines how to effectively close this loophole using Intune App Configuration policies.

⚙️ Key Technical Details

To successfully restrict the execution of Office add-ins on iOS, administrators must move beyond global Store-level blocks and implement app-specific configuration keys. This ensures that the restriction is enforced at the application level, regardless of how the add-in was originally introduced to the document.

• Applicable Applications: These configurations specifically target the Microsoft Office “core” apps on iOS: Word, Excel, and PowerPoint.
• System Requirements: The devices must be running Office for iOS version 2.60 or later.
• Management Framework: Apps must be managed by Microsoft Intune and governed by Intune App Protection Policies (APP). This solution is valid for both enrolled devices (MDM) and unenrolled devices (MAM-WE).
• Configuration Method: Administrators must utilize App Configuration Policies within the Intune portal to deploy specific XML or key-value pair strings.

Specific Configuration Keys:

There are two primary levels of restriction available via the configuration dictionary:

• Block Office Store Add-ins Only: To prevent users from accessing or running add-ins sourced from the public Office Store (OMEX), use the following key:
  
  com.microsoft.office.OfficeWebAddinDisableOMEXCatalog
  
  Value: 1 (Integer)
• Block All Add-ins: To implement a total restriction that includes both the public Office Store and any sideloaded add-ins, use the following key:
  
  com.microsoft.office.OfficeWebAddinDisableAllCatalogs
  
  Value: 1 (Integer)

🛡️ Impact on Users and Administrators

Implementing these changes significantly tightens the security posture of the mobile workplace, but it does change the user experience and administrative workflow:

• Administrative Control: This method provides a more granular approach than the tenant-wide “Turn off the Office Store” setting. It ensures that corporate data remains protected even if the user switches active accounts within the app.
• User Experience: Once these keys are pushed to the device, users will find that add-ins previously active in their personal files will no longer load or execute once the file is associated with a work or school environment. This prevents unauthorized third-party code from interacting with corporate data.
• Data Governance: By blocking “All Catalogs,” administrators can mitigate the risk of sideloaded scripts or unvetted tools being used to process sensitive organizational information on mobile platforms.
• Compliance: For organizations in regulated industries, this ensures that only approved tools are utilized, preventing “Shadow IT” add-ins from persisting in the environment via the personal-to-corporate account transition.

Official Source: Read the full article on Microsoft.com