Hoxhunt button: Centralized Deployment of Hoxhunt add-in via Integrated Apps 

Applies to: M365, Hybrid
The guide for On-premise exchange environments can be found here: 
Deploying Hoxhunt add-in via Exchange Admin Center

Overview

Centralized Deployment is a method that can be used in Microsoft 365 and Hybrid environments. It is also used to deploy Outlook add-ins to Outlook Mobile.

 

PLEASE READ: (2025-04) Solution for the "AADSTS7000024: Inconsistent broker application IDs" reporting issue on Outlook Mobile

 

Features

  • Add-in can be deployed to everyone in the tenant or only a selected group of users
  • Add-in is automatically deployed and removed as members are added and removed from groups
  • Add-in is automatically pinned in Outlook
  • Centralized Deployment supports three desktop platforms: Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).

 

All about Integrated Apps, Centralized Deployment and Outlook add-ins

If you want to learn more about the deployment or how Outlook add-ins work, please spend a moment with the following resources from Microsoft.

 

Get Started with Integrated Apps - Learn about permissions needed for deployment, how group assignment works, limitations and restrictions on when Integrated Apps isn't available.

Deploy and manage Office add-ins through Integrated Apps - Learn about client and server requirements, how to deploy, update or remove deployment, limitations and restrictions, and Office add-ins security.

 

Determine if Centralized Deployment of add-ins works for your organization - Learn about which licenses support Office add-ins, where Centralized Deployment cannot be used, client and admin requirements, and Compatibility checker.

Deploy add-ins in the Microsoft 365 admin center - Learn how to deploy Outlook add-in for the first time. Also learn about Office add-in security.

Manage add-ins in the Microsoft 365 admin center - Learn how to update or remove an already deployed add-in.

Centralized Deployment FAQ - Everything you want to know about Centralized Deployment

 

Requirements for running Office add-ins - Learn if your Outlook client supports Outlook web add-ins and what other dependencies it may have.

Browsers and webview controls used by Office Add-ins - Learn how Office add-ins use web browser to render content for end users, and how the browser is chosen by Microsoft.

 

For environments that don't meet the requirements for Centralized Deployment, you can deploy Hoxhunt Outlook add-in via the Exchange Admin Center by using Powershell. Please see this article.

 

Centralized Deployment of Hoxhunt add-in

1. In the Microsoft 365 Admin Center, Navigate to Settings > Integrated apps.

2. Click Upload custom apps.

3. Choose Provide link to manifest file and enter the following URL:
https://officejs.hoxhunt.com/api/v1/manifest/default/manifest.xml

4. Click Validate.
If all goes well, you receive "Manifest file validated" message.

5. Click Next.

6. Leave Is this a test deployment? to No position.

6. Assign users to Hoxhunt add-in by selecting Specific users/groups. This option is recommended for ultimate control to target Hoxhunt service to certain employees with individual assignments and group assignments.

7. Click Next.

8. Review App permissions and capabilities. When done, click Accept permissions. Go through the consent screen that opened and click Accept. When done, click Next.

9. Review and finish deployment by clicking Finish deployment.

 

In case of any errors, review the error description and try agin. You can also contact Hoxhunt Support for help.

 

NOTE:

  • It can take up to 24 hours for a new add-in deployment to show up for all users. It can take up to 72 hours for add-in updates, changes from turn on or turn off to reflect for users.

  • Restarting the Outlook client may speed up the process.

  • If you are unable to see Hoxhunt add-in in desktop Outlook even after restarting the client, please check if the button is available in Outlook on the Web.

  • Please check this article to locate Hoxhunt button in various Outlook clients.

 

Edit, remove or add users for Hoxhunt add-in


1. In the Microsoft 365 Admin Center, navigate to Settings > Integrated apps.

2. Locate Hoxhunt Report in the list and click it.

3. Make any necessary changes and click Save.

 

NOTE:

  • It can take up to 24 hours for a new add-in deployment to show up for all users. It can take up to 72 hours for add-in updates, changes from turn on or turn off to reflect for users.

 

PLEASE READ: (2025-04) Solution for the "AADSTS7000024: Inconsistent broker application IDs" reporting issue on Outlook Mobile

 

Frequently asked questions

Could you explain the permission model of Microsoft Graph API?

The Microsoft Graph API uses OAuth which makes permissions more visible in the form of scopes

The Graph server will request the following delegated permissions:

  • Send email on behalf of users

  • Read and write user’s own and shared mailboxes

  • Sign in and read user profile

  • Sign users in

  • View user's basic profile

You can also check the permission scopes directly from within the add-in manifest XML:

Graph_API_permission_scopes.png

Read more about how delegated permissions work at this page from Microsoft.

Full Graph permissions reference is available here.

 

What are delegated permissions?

With delegated permissions, an app is acting on the user's behalf. When user clicks the Hoxhunt Outlook add-in (which uses delegated permissions), the app is given a token that enables it to act under the user's authority within set and specific limits. The limits are defined by the scopes mentioned earlier. The token is only valid for a short period of time. Hoxhunt add-in will execute relevant actions based on your organisation’s Hoxhunt settings and the actions user takes in the UI. Hoxhunt never stores the token anywhere. The token will be lost forever once a reporting process has been completed.

 

Why are you using delegated permissions instead of app permissions?

Security-wise, delegated permissions are more convenient than app permissions. Delegated permissions require a logged-in user to act on behalf of, whereas app permissions can do "whatever , whenever", but cannot act on the user's behalf.

 

Why are we requiring the permissions we're requiring?

Send email on behalf of users
When reporting a possible malicious email – Hoxhunt add-in will use the requested permissions when reporting/forwarding a suspicious email from the users' mailbox to organizations redirect address (for Threat Forwarding)

Read and write user’s own and shared mailboxes
Used for reading the email being reported – be it a simulation email or a potential threat – as our add-in identifies the email being reported by the header information, we need this specific permission to be able to identify simulations, potential known threats, and safe emails (for Feedback Rules and instant feedback)

Sign in and read user profile
As we’re using delegated permissions instead of App permissions – we can always use the lowest necessary privileges – An application using delegated permissions requires a signed-in user to be present for making GraphAPI calls.

 

I have more questions

Please contact support@hoxhunt.com for more information about centralized deployment and the permissions required to use the Hoxhunt add-in. 

Was this article helpful?

5 out of 5 found this helpful

Have more questions? Submit a request