Forum Discussion
No capability to admin Microsoft Office Store Addins
The problem here is there are multiple "types" of add-ins, each managed differently. GPOs should cover access from the desktop apps, for the online versions you will have to disable access to the store via https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> User owned apps and services.
There are similar settings for the Azure AD portal, which cover any AAD-integrated apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/
Exchange and SharePoint have their own "stores" as well, which can be toggled on/off by admins. And for any already installed add-ins, you will have to remove them manually.
As for auditing, the Unified audit log should cover most of the related events, if not you can periodically run script that enumerate service principals in AAD and apps in Exchange (there's probably a programmatic method to do the same in SPO, but I'm not much of a SharePoint guy).
VasilMichevI've already set up blocking the general Store itself via a domain-level GPO, so that's accomplished. I don't think we're using Sharepoint "online" yet, that's still on-prem. Exchange is about 1/2 through it's o365 migration.
We can't seem to find anything in the 365 Admin to show who in our tenancy has installed Office Store applications. I know at least two people have installed Boomerang for Outlook; I am one of them as a test. For all we know, there could be dozens of "Office Store Apps" installed by various users...and this is a HUGE violation of our government contracts:
NIST 800-171: 3.4.9: Control and monitor user-installed software: User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must be approved.