Hoxhunt button: Centralized Deployment of Hoxhunt add-in

Applies to: M365, Hybrid
The guide for On-premise exchange environments can be found here:
Deploying Hoxhunt add-in via Exchange Admin Center

Contents of this article

 

Overview

Centralized Deployment is a method that can be used in certain Microsoft 365 and hybrid environments. It is also used to deploy Outlook add-ins to Outlook Mobile. To check if this method suits you, please see Office 365 Compatibility Checker article before reading further.

Advantages:

  • Add-in can be deployed to everyone in the tenant or only a selected group of users
  • Add-in is automatically deployed and removed as members are added and removed from groups
  • Add-in is automatically pinned in Outlook on the Web (OWA) and Outlook Progressive Web Application (PWA)*
  • Centralized Deployment supports three desktop platforms: Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).

*NOTE: Add-ins deployed via Centralized Deployment by Admins since 21 April, 2021 will be automatically pinned in Outlook for Web and Outlook Progressive Web Application. However, based on Hoxhunt's experience, add-ins deployed before that date will not be automatically pinned, even when they are re-deployed. Hoxhunt has issued a bug ticket to Microsoft about this.

 

General requirements:

  • The admin deploying the add-in and the users receiving the add-in must be on a version of Exchange Server that supports OAuth authentication. By default, Exchange Multi-Tenant and Dedicated VNext deployments support OAuth.
  • Users must be using Office 365 ProPlus, or one of Microsoft 365 Enterprise SKUs (E3/E5/F3) or Business SKUs (Business Basic, Business Standard, Business Premium), and are signed into Office using their organizational ID, and have Exchange Online and active Exchange Online mailboxes.
  • Your subscription's directory must either be in, or federated to Azure Active Directory.

To learn more about Centralized Deployment, please check Microsoft's Centralized Deployment FAQ and Before You Begin articles.

For environments that don't meet the requirements for Centralized Deployment, you can deploy Hoxhunt Outlook add-in via the Exchange Admin Center by using Powershell. Please see this article.

 

Centralized Deployment of Hoxhunt add-in


1. In the Microsoft 365 Admin Center, Navigate to Settings > Add-ins.

NOTE: If you don't see this menu option, use this direct link to access the page or navigate Settings > Integrated apps instead. Then follow these instructions.

M365_Admin_Center_Services_Add-ins.png

 

2. Click + Deploy Add-in.

M365_Admin_Center_Add-ins_Deploy_add-in.png



3. Deploy a new add-in dialog opens, choose Next.

M365_Admin_Center_Deploy_new_add-in_1.png

 

4. Under Deploy a custom add-in, choose “Upload custom apps”.

M365_Admin_Center_Deploy_new_add-in_2.png

 

5. Choose “I have a URL for the manifest file.”, copy and paste the following manifest URL into the highlighted text field (don't forget to include https://):

https://officejs.hoxhunt.com/api/v1/manifest/default/manifest.xml

NOTE: If you have been provided with a different URL, please use that one instead.


Click “Upload” to proceed.

M365_Admin_Center_Deploy_new_add-in_3.png

 

6. Under Assign Users, choose who has access to the add-in. You can select Everyone, Specific users / groups, or Just me.

If you select “Specific users / groups”, you can search for individual users or AD groups you want to deploy the add-in to.

 

7. Under Deployment Method, select whether you want Hoxhunt add-in to be mandatory or if users have the option to remove the add-in.

Click “Next” to proceed.centralized_eployment_of_hoxhunt_add-in_two.png

8. A page with required permissions is opened. Review the permissions and click Save.

Click “Save” to finish the deployment.

Note: See the FAQ at the end of this article for more information about how Hoxhunt utilises these permissions. 

centralized_eployment_of_hoxhunt_add-in_one.png

 

9. Confirmation page is shown that confirms the add-in has been assigned to the users/groups you selected.

M365_Admin_Center_Deploy_new_add-in_5.png

 

Please note:

  • it may take a few minutes to an hour for the add-in to appear for the newly selected user group. According to Microsoft it may take up to 24 hours but usually it's much less.

  • If you are unable to see Hoxhunt add-in in desktop Outlook even after restarting the application, please check if the button is available in Outlook on the Web (OWA) or Outlook Progressive Web Application (PWA). Please check this article to locate Hoxhunt button in Outlook OWA / PWA.

 

10. Your new Hoxhunt add-in is now displayed in the Add-ins list (the page might need a refresh).

M365_Admin_Center_Deploy_new_add-in_6.png

 

 

Edit, remove or add users / groups for Hoxhunt add-in


1. In the Microsoft 365 Admin Center, navigate to Settings > Add-ins.

M365_Admin_Center_Services_Add-ins.png

 

2. Click Hoxhunt Report in the Add-ins list.

M365_Admin_Center_Deploy_new_add-in_6.png

 

3. Make any necessary changes and click Save.

M365_Admin_Center_Deploy_new_add-in_7.png

Please note:

Frequently asked questions

Could you explain the permission model of Microsoft Graph API?

The Microsoft Graph API uses OAuth which makes permissions more visible in the form of scopes

The Graph server will request the following delegated permissions:

  • Send email on behalf of users

  • Read and write user’s own and shared mailboxes

  • Sign in and read user profile

  • Sign users in

  • View user's basic profile

You can also check the permission scopes directly from within the add-in manifest XML:

Graph_API_permission_scopes.png

Read more about how delegated permissions work at this page from Microsoft.

Full Graph permissions reference is available here.

 

What are delegated permissions?

With delegated permissions, an app is acting on the user's behalf. When user clicks the Hoxhunt Outlook add-in (which uses delegated permissions), the app is given a token that enables it to act under the user's authority within set and specific limits. The limits are defined by the scopes mentioned earlier. The token is only valid for a short period of time. Hoxhunt add-in will execute relevant actions based on your organisation’s Hoxhunt settings and the actions user takes in the UI. Hoxhunt never stores the token anywhere. The token will be lost forever once a reporting process has been completed.

 

Why are you using delegated permissions instead of app permissions?

Security-wise, delegated permissions are more convenient than app permissions. Delegated permissions require a logged-in user to act on behalf of, whereas app permissions can do "whatever , whenever", but cannot act on the user's behalf.

 

Why are we requiring the permissions we're requiring?

Send email on behalf of users
When reporting a possible malicious email – Hoxhunt add-in will use the requested permissions when reporting/forwarding a suspicious email from the users' mailbox to organizations redirect address (for Threat Forwarding)

Read and write user’s own and shared mailboxes
Used for reading the email being reported – be it a simulation email or a potential threat – as our add-in identifies the email being reported by the header information, we need this specific permission to be able to identify simulations, potential known threats, and safe emails (for Feedback Rules and instant feedback)

Sign in and read user profile
As we’re using delegated permissions instead of App permissions – we can always use the lowest necessary privileges – An application using delegated permissions requires a signed-in user to be present for making GraphAPI calls.

I have more questions

Please contact support@hoxhunt.com for more information about centralized deployment and the permissions required to use the Hoxhunt add-in. 

Was this article helpful?

16 out of 19 found this helpful

Have more questions? Submit a request