Blocking Office Store–Harder Than You May Think

Recently at a customer they were rolling out Office 2016 ProPlus to their early adopters. This was a significant change for the business and somewhat an experimental process. Their Information Security team had a problem with the Add-ins function within the Office applications and requested that we find a way to block Office from accessing the Office Store.

The Office store isn’t curated by Microsoft solely, so their concerns were valid and what potential risks to information could a unsolicited add-in cause.

To block the office store is harder than I first thought. There are blog posts out there that cover blocking, but they are single use cases, not a complete block as I found. So this post will cover all 4 steps you need to take to successfully block the office store.

Step 1 – Remove Office Store link from the App Launcher

In the Office 365 Portal, expand the Settings menu and click on Services and Add-ins

image

Next, scroll down to find the Office Store Service

image

Change the default value from On to Off and press save

image

This now removes the Store from the App Launcher

Step 2 – Block Office 2016 ProPlus from Accessing the Office Store

You can do this by using the Office Customisation Tool (OCT) when creating your deployment package, or by using the Office 2016 ADMX Group Policy template. This is well documented here: https://technet.microsoft.com/en-us/library/cc178992.aspx

Implementing this will stop the Office package from browsing the Office Store.

Step 3 – Blocking Access to the Store from Office Online

This one is something that I spent quite a bit of time on. Even with the above steps completed, if users go to Word, Excel, PowerPoint Online they are able to still browse the Office Store and add add-ins even with these settings applied. I couldn’t find a way to block this initially within the tenant, I even checked Azure AD Applications for Office Store and there was nothing in there that suggested this could be turned off. However, i found that there is a setting in Office 365 that will prevent this.

As you would logically think (sarc), this setting is located in SharePoint Admin Portal, so open this then click on Apps, and then Configure Store Settings

image

Then Select No to Should Apps for Office from the store be able to start when documents are opened in the browser, and press save

image

Now when Word, Excel, PowerPoint Online open and you try and browse the Office Store you get this

image

Step 4 – Block Access to https://store.office.com

So Even with these settings applied, users can still go to store.office.com browse the store, sign in and add an add-in to Office 2016 and Office Online… sigh. So you need to add this URL to your web blocking solution. But there is more, what if you have remote working and users are not connected to corpnet? The only dirty way I have found to prevent this is to edit the HOSTS file on the machine that sends requests to store.office.com to an IP address of 0.0.0.0 or the IP of a web page that tells them access is blocked.

Advertisements

2 comments

  1. BlueCoats Unified Agent, essentially a cloud proxy solution would be a useful solution for step 4. And certainly a bit more elegant than mucking around with host files to shape traffic.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s