Forum Discussion
How to Enforce Office Add-In Restrictions via Intune for Azure AD-Joined Devices (Office 2013–2021)
Dear Community,
We are currently migrating users from a traditional Windows Active Directory environment (where we used GPOs to restrict Office add-in management) to Microsoft 365 with Azure AD-joined devices.
Our goal is to prevent users from disabling critical Office add-ins across multiple standalone Office versions — specifically Office 2013, 2016, 2019, and 2021.
We are looking for guidance on:
- How to implement similar restrictions using Microsoft Intune and Microsoft 365 Admin Center.
- Whether there are Intune configuration profiles or administrative templates that support this use case.
- Any limitations or compatibility issues with standalone Office versions (non-Microsoft 365 Apps).
- Recommended best practices or documentation links for enforcing add-in policies in a cloud-native setup.
Any help or shared experiences would be greatly appreciated!
Thank you.
1 Reply
Hello,
you can try to import/migrate the GPO to Intune
https://learn.microsoft.com/en-us/intune/intune-service/configuration/group-policy-analytics
OR
you try to find out if you can set this with https://config.office.com/ ( Office Cloud Policy Service OCPS)
- Go to https://config.office.com
- Sign in with an admin account.
- Navigate to Customization > Policy Management
- Create a new policy configuration or edit an existing one.
OR use Intune Admin Templates
- Go to Intune Admin Center > Devices > Configuration profiles
- Create a new profile:
- Platform: Windows 10 and later
- Profile type: Templates > Administrative Templates
- Search for:
- "List of managed add-ins" under the relevant Office app (e.g., Outlook, Word)
- Configure the add-in with:
- Load Behavior: 3 (Load at startup)
- User Control: 0 (Users cannot change)
This mimics traditional GPO behavior in a cloud-native way
BR
