Manually installing Office 365 could take weeks or months depending on the number of devices in your organization. Find out how to deploy it in hours or days. Microsoft's Office suite is the de. Microsoft Office 365 deployment guide Overview. This guide provides the information to configure Office 365 in your Okta org The Okta container that represents a real-world organization.Depending on your license type, some topics in this guide may not apply to you.
-->Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in). As an admin, you can deploy Office add-ins for the users in your organization. You can do this using the Centralized Deployment feature in the Microsoft 365 admin center.
Centralized Deployment is the recommended and most feature-rich way for most admins to deploy add-ins to users and groups within an organization. For more information on how to determine if your organization can support Centralized Deployment, see Determine if Centralized Deployment of add-ins works for your Office 365 organization.
Centralized Deployment provides the following benefits:
A Global admin can assign an add-in directly to a user, to multiple users via a group, or to everyone in the tenant.
When the relevant Office application starts, the add-in automatically downloads for the user. If the add-in supports add-in commands, the add-in automatically appears in the Ribbon within the Office application.
Add-ins will no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.
Note
For Word, Excel and PowerPoint use a SharePoint App Catalog to deploy add-ins to users in an on-premises environment with no connection to Office 365 and/or support for SharePoint add-ins required. > For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Office 365. >
Recommended approach for deploying Office add-ins
Consider rolling out add-ins in a phased approach to help ensure your add-in deployment goes smoothly. We recommend the following plan:
Roll-out the add-in to a small set of business stakeholders and members of the IT department. Evaluate if the deployment was successful, and if so, move on to step 2.
Roll-out to a larger set of individuals within the business who will be using the add-in. Again, evaluate results and, if all went well, go to the next step of a full deployment.
Full rollout to target audience of users.
Depending on the size of the target audience, you may want to add or remove roll-out steps.
Deploy an Office add-in using the admin center
Before you begin, see Determine if Centralized Deployment of add-ins works for your Office 365 organization.
In the admin center, go to the Settings > Services & add-ins page.
Select Deploy Add-in at the top of the page. On the overview page, select Next.
Select an option and follow the instructions.
If you selected the option to add an add-in from the Office Store, you can now make your add-in selection. Notice that you can view available add-ins via categories of Suggested for you, Rating, or Name. Only free add-ins are available to add from the Office Store. Paid add-ins aren't supported currently. Once you've selected your add-in, you will need to agree to some additional terms and conditions in order to proceed.
NOTE: With the Office Store option, updates and enhancements to the add-in will automatically be made available to users without your intervention.On the next page, select Everyone, Specific users/groups or Just me to specify who the add-in is deployed to. Use the Search box to find the users or groups who you want to deploy the add-in to.
NOTE: Learn about the other states that apply to an add-in. See Add-in states later in this topic.Select Deploy.
A green tick will appear when the add-in has been deployed. You can follow the on-page instructions to test that the add-in has deployed successfully.
Note
Users may need to relaunch Office to see the add-in icon appear on the ribbon of app. Outlook add-ins can take up to 12 hours to appear on users' ribbons.
- When finished, select Next. If you've deployed to just yourself, you can select Change who has access to add-in in order to deploy to more users.
If you've deployed the add-in to members of your orgnization other than yourself, follow the instructions displayed in order to effectively announce the deployment of the add-in.
You now see your add-in along with other apps in Office 365.
It's a good idea to inform the users and groups who you deployed the add-in to so that they know that it's available. Consider sending an email to them that describes when and how to use the add-in and explains how the add-in can help them do their job better. Include or link to relevant Help content or FAQs that might help if users have any problems with the add-in.
Considerations when assigning an add-in to users and groups
Admins can assign an add-in to everyone or to specific users and groups. Each option has implications:
Everyone: As the name implies, this option assigns the add-in to every user in the tenant. Use this option sparingly and only for add-ins that are truly universal to your organization.
Users: If you assign an add-in to an individual user, then to deploy the add-in to a new user, you will need to first add that user. The same goes for removing users.
Groups: If you assign an add-in to a group, users who are added to the group will automatically be assigned the add-in. And, when a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from you as the admin.
Just me: If you assign an add-in to just yourself, this assigns the add-in to only your account. This is ideal if you wish to test out the add-in first.
The option that is right for your organization depends on your configuration. However, we recommend making assignments via groups. As an admin, you might find it easier to manage add-ins using groups and control the membership of those groups rather than having to change the users assigned each time. On the other hand, in some situations, you may want to restrict access to a very small set of users and therefore make assignments to specific users. As a result, you will need to manage the assigned users manually.
Add-in states
An add-in can either be in the On or Off state.
| State | How the state occurs | Impact |
|---|---|---|
| Active | Admin uploaded the add-in and assigned it to users or groups. | Users and groups assigned to the add-in see it in the relevant clients. |
| Turned off | Admin turned off the add-in. | Users and groups assigned to the add-in no longer have access to it. If the add-in state is changed to Active, the users and groups will have access to it again. |
| Deleted | Admin deleted the add-in. | Users and groups assigned the add-in no longer have access to it. |
Consider deleting an add-in if no one is using it any more. Turning off an add-in may make sense if an add-in is used only during specific times of the year.
Security of Office add-ins
Office add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application which contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can:
Display data.
Read a user's document to provide contextual services.
Read and write data to and from a user's document to provide value to that user.
For more information about the types and capabilities of Office add-ins, see Office Add-ins platform overview, especially the section 'Anatomy of an Office Add-in.'
To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, see Requesting permissions for API use in content and task pane add-ins.
When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in do not change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications.
Updates for add-ins happen as follows:
Line-of-business add-in: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
Office Store add-in: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
Edit Add-in access
Post deployment, admins can also modify the user access to add-ins.
In the admin center, go to the Settings > Services & add-ins page.
Select the deployed add-in.
Click on Edit under Who has Access.
Prevent add-in downloads by turning off the Office Store across all clients (Except Outlook)
Note
Outlook add-in installation is managed by a different process.
As an organization you may wish to prevent the download of new Office add-ins from the Office Store. This can be used in conjunction with Centralized Deployment to ensure that only organization-approved add-ins are deployed to users within your organization.
To turn off add-in acquisition:
In the admin center, go to the Settings > Services & add-ins page.
Select User owned apps and services.
Clear the option to let users access the Office store.
This will prevent all users from acquiring the following add-ins from the store.
Add-ins for Word, Excel, and PowerPoint 2016 from:
Windows
Mac
Office
iOS
Acquisitions starting within AppSource
Add-ins within Office 365
A user who tries to access the store will see the following message: Sorry, Office 365 has been configured to prevent individual acquisition of Office Store add-ins.
Support for turning off the Office Store is available in the following versions:
Windows: 16.0.9001 - Currently available.
Mac: 16.10.18011401 - Currently available.
iOS: 2.9.18010804 - Currently available.
The web - Currently available.
This does not prevent an administrator from using Centralized Deployment to assign an add-in from the Office Store.
To prevent a user from signing in with a Microsoft account, you can restrict logon to use only the organizational account. For more information, look here.
Minors and acquiring add-ins from the Store
The General Data Protection Regulation (GDPR) is a European Union regulation that becomes effective May 25, 2018. It gives users rights to and protection of their data. One of the aspects of the GDPR is that minors cannot have their personal data sent to parties that their parent or guardian hasn't approved. The specific age defined as a minor depends on the region where the individual is located.
Regions that have statutory regulations about parental consent include the United States, South Korea, the United Kingdom, and the European Union. For those regions, a minor will be blocked (via Azure Active Directory) from getting any new Office add-ins from the Store and running add-ins that were previously acquired. For countries without statutory regulations, there will be no download restrictions.
A user is determined to be a minor based on data specified in Azure Active Directory. The tenant admin is responsible for declaring the legal age group and the parental consent for that user.
If the parent/guardian consents to a minor using a specific add-In, then the tenant admin can use centralized deployment to deploy that add-In to all minors who have consent.
To be GDPR compliant for minors you need to ensure that one of following builds of Office is deployed in your school/organization.
For Word, Excel, PowerPoint, and Project:
| Platform | Build number |
| Office 2016 ProPlus Monthly for Windows | 9001.2138 |
| Office 2016 ProPlus Semi-Annual | 8431.2159 |
| Office 2016 for Windows | 16.0.4672.1000 |
| Office 2013 for Windows | 15.0.5023.1000 |
| Office 2016 for Mac | 16.11.18020200 |
| Office 2016 for iOS | 2.12.18032600 |
| Office for the web | N/A |
For Outlook:
| Platform | Build number |
| Outlook 2016 for Windows (MSI) | Build No TBD |
| Outlook 2016 for Windows (C2R) | 16.0.9323.1000 |
| Office 2016 for Mac | 16.0.9318.1000 |
| Outlook mobile for iOS | 2.75.0 |
| Outlook mobile for Android | 2.2.145 |
| Outlook.com | N/A |
Office 2013 requirements
Word, Excel, and PowerPoint 2013 for Windows will support the same minor checks if Active Directory Authentication Library (ADAL) is enabled. There are two options for compliance, as explained next.
Enable ADAL. This article explains how to enable ADAL for Office 2013: Using Office 365 modern authentication with Office clients.
You also need to set the registry keys to enable ADAL as explained in Enable Modern Authentication for Office 2013 on Windows devices.
Additionally, you need to install the following April updates for Office 2013:Don't enable ADAL. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the office clients. Information on how to turn off the app for Office settings is located here.
End user experience with add-ins
Now that you've deployed the add-in, your end users can start using it in their Office applications (see Start using your Office Add-in). The add-in will appear on all platforms that the add-in supports.
If the add-in supports add-in commands, the commands appear on the Office ribbon. In the following example, the command Search Citation appears for the Citations add-in.
If the deployed add-in doesn't support add-in commands or if you want to view all deployed add-ins, you can view them via My Add-ins.
In Word 2016, Excel 2016, or PowerPoint 2016
Select Insert > My Add-ins.
Select the Admin Managed tab in the Office Add-ins window.
Double-click the add-in you deployed earlier (in this example, Citations ).
In Outlook
On the Home ribbon, select Get Add-ins.
Select Admin-managed in the left nav.
Delete the add-in
Office 365 Login Portal
You can also delete an add-in that was deployed.
In the admin center, go to the Settings > Services & add-ins page.
Select the deployed add-in.
Click on Delete Add-In.
Learn more
Learn more about creating and building Office Add-ins.
Use Centralized Deployment PowerShell cmdlets to manage add-ins.
Manually Deploy Office 365 To Users 2017
To answer your question as long as you have the appropriate licensing, yes you can add these workstations to Azure AD. Safe to assume all the machines are windows 10 boxes?
Do you already have all of your users in Azure Active Directory? I am assuming at that point you would get office 365 installed on all of your workstations. Or are you saying the plan is to have them access everything via the web? If you have the correct licensing you can just downloaded it to each workstation from the portal site.
I would not move forward with logging into each user at each workstation, I would configure One Drive for business to save your desktop/downloads/documents that way this data roams as the user signs in.
Deploy Office 365 Using Sccm
For printers etc you would use group policy for this.