May 27 2019 09:51 AM
May 27 2019 09:51 AM
My company is required by federal contracts to restrict end-users capabilities to install applications, share data, and such under NIST 800-171 without specific allowance by IT. We recently learned that end-users are still capable of accessing the Microsoft Office Store, and signing up for the various cloud-based applications found there.
We have tried to file a help-desk ticket inside the Office 365 Admin Portal, but they keep sending us over to the Azure Support; we worked all the way through that and discovered that they are unable to help. We have searched through the Office 365 Admin Portal, and there seems to be no way to control users, or even audit users, on a "Office Store" level.
We would like to be able to have the capability to allow specific users to use specific Office Store Applications once these are vetted and approved by the ISSEC team. For now, I have used a GPO to block the capability for the icon to bring up the Office Store; but we may already have users signed up for "Boomerang for Outlook" but we have no way of knowing what users are using what.
There is an article posted here titled "Blocking Office Store may be harder than you think" but both the links are 404 now; plus this isn't office Microsoft documentation so we are wary of using it. We need actual documentation from Microsoft (the vendor) on this.
Due to the "separation of duties" requirement, our ISSEC team are not Admins in the Office 365 portal, so any troubleshooting on this has to be passed to the Network team. The ISSEC team needs to be able to audit Office Store usage, but not actually change anything. This may be outside of the scope of this question; but hopefully anyone able to answer the first question will know how to answer this too.
May 27 2019 10:25 AM - edited May 27 2019 11:48 AM
May 27 2019 11:01 PM
The problem here is there are multiple "types" of add-ins, each managed differently. GPOs should cover access from the desktop apps, for the online versions you will have to disable access to the store via https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> User owned apps and services.
There are similar settings for the Azure AD portal, which cover any AAD-integrated apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuI...
Exchange and SharePoint have their own "stores" as well, which can be toggled on/off by admins. And for any already installed add-ins, you will have to remove them manually.
As for auditing, the Unified audit log should cover most of the related events, if not you can periodically run script that enumerate service principals in AAD and apps in Exchange (there's probably a programmatic method to do the same in SPO, but I'm not much of a SharePoint guy).
May 31 2019 07:23 AM
@Vasil MichevI've already set up blocking the general Store itself via a domain-level GPO, so that's accomplished. I don't think we're using Sharepoint "online" yet, that's still on-prem. Exchange is about 1/2 through it's o365 migration.
We can't seem to find anything in the 365 Admin to show who in our tenancy has installed Office Store applications. I know at least two people have installed Boomerang for Outlook; I am one of them as a test. For all we know, there could be dozens of "Office Store Apps" installed by various users...and this is a HUGE violation of our government contracts:
NIST 800-171: 3.4.9: Control and monitor user-installed software: User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must be approved.