Deploying Outlook add-ins (“apps”) for your O365 tenant is an intuitive experience via AppSource. As a Global Administrator, click GET IT NOW on the app’s page and you are immediately redirected to the Services & add-ins page of the M365 Admin Center.
From there, you can configure add-ins for the whole tenant, just yourself, or by group. All AAD group types, except non-email enabled ones, are supported. If a group is nested, the top-level group gets it, but none of the nested ones. You then choose to deploy as fixed, which means enforced, available, which means shown when users search for apps, or optional, which means installed but can be removed.
Less intuitive are the requirements and confirming what users are supported for your deployed add-ins apps. To simplify:
Add-ins are stored, by tenant, within Exchange and deployment can only be done by an admin with and mailboxes for which Modern Authentication (OAuth) is enabled.
Modern authentication is enabled by default with Exchange Online, so you are probably clear for cloud-only mailboxes, however perhaps not on-prem users in a hybrid environment. Microsoft make available the Office Add-In Centralised Deployment Eligibility Checker, a PowerShell module and cmdlet that will verify the deployability to every user in the tenant.
1. Install the module, available here.
2. Run PowerShell, elevated, importing the module and running its only cmdlet, which prompts you for the tenant name (ending on.microsoft.com). Note the prompt is, ironically, not a modern authentication one, so you must use an administrative account without Multi Factor Authentication enabled.
1 2 |
Import-Module O365CompatibilityChecker Invoke-CompatibilityCheck |
3. PowerShell will export output.csv to the working directory; typically %SystemRoot%System32 or %userprofile%. In my example, it took 50-60 seconds per 100 mailboxes.
The Centralised Deploy Ready, which is where you should focus efforts, column differs from Supported Mailbox despite what the screenshot indicates. For example, if a mailbox previously had OAuth enabled but now has no EXO license, it would show as not ready but supported.