Hoxhunt button: Centralized Deployment of Hoxhunt add-in via Integrated Apps

Applies to: M365, Hybrid
The guide for On-premise exchange environments can be found here:
Deploying Hoxhunt add-in via Exchange Admin Center


Centralized Deployment is a method that can be used in certain Microsoft 365 and hybrid environments. It is also used to deploy Outlook add-ins to Outlook Mobile. To check if this method suits you, please see Office 365 Compatibility Checker article before reading further.



  • Add-in can be deployed to everyone in the tenant or only a selected group of users
  • Add-in is automatically deployed and removed as members are added and removed from groups
  • Add-in is automatically pinned* in Outlook on the Web (OWA) and Outlook Progressive Web Application (PWA)
  • Centralized Deployment supports three desktop platforms: Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).

*UPDATE 20.03.2024: Add-ins deployed via Centralized Deployment by Admins are again automatically pinned to Outlook for Web and New Outlook for Windows.

Read more: (2024-02) About Hoxhunt button's visibility in Outlook clients


Requirements and restrictions

Centralized deployment of add-ins requires that the users have one of the following licenses:

  • Microsoft 365 Business (Business Basic, Business Standard, Business Premium)
  • Office 365 Enterprise (E1/E3/E5/F3)
  • Microsoft 365 Enterprise (E3/E5/F3) (and are signed in Microsoft 365 using their organizational ID)
  • Office 365 Education (A1/A3/A5)
  • Microsoft 365 Education (A3/A5)
  • Office 365 Government (G3/G5)
  • Microsoft 365 Government (G3/G5)

Users must also have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Microsoft Entra ID.

Centralized Deployment doesn't support the following:

  • Add-ins that target Office MSI version (except Outlook 2016)
  • An on-premises directory service
  • Add-in deployment to an Exchange On-Prem Mailbox
  • Deployment of COM add-ins or VSTO add-ins
  • Deployments of Microsoft 365 that do not include Exchange Online such as SKUs: Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.

To learn more about Centralized Deployment, please check Microsoft's Centralized Deployment FAQ and Before You Begin articles.

For environments that don't meet the requirements for Centralized Deployment, you can deploy Hoxhunt Outlook add-in via the Exchange Admin Center by using Powershell. Please see this article.


Centralized Deployment of Hoxhunt add-in

1. In the Microsoft 365 Admin Center, Navigate to Settings > Integrated apps.

2. Click Upload custom apps.

3. Choose Provide link to manifest file and enter the following URL:

4. Click Validate.
If all goes well, you receive "Manifest file validated" message.

5. Click Next.

6. Leave Is this a test deployment? to No position.

6. Assign users to Hoxhunt add-in by selecting Specific users/groups. This option is recommended for ultimate control to target Hoxhunt service to certain employees with individual assignments and group assignments.

7. Click Next.

8. Review App permissions and capabilities. When done, click Accept permissions. Go through the consent screen that opened and click Accept. When done, click Next.

9. Review and finish deployment by clicking Finish deployment.


In case of any errors, review the error description and try agin. You can also contact Hoxhunt Support for help.


Please note:

  • it may take a few minutes to an hour for the add-in to appear for the newly selected user group. According to Microsoft it may take up to 24 hours but usually it's much less.

  • If you are unable to see Hoxhunt add-in in desktop Outlook even after restarting the application, please check if the button is available in Outlook on the Web (OWA) or Outlook Progressive Web Application (PWA). Please check this article to locate Hoxhunt button in Outlook OWA / PWA.


Edit, remove or add users for Hoxhunt add-in

1. In the Microsoft 365 Admin Center, navigate to Settings > Integrated apps.

2. Locate Hoxhunt Report in the list and click it.

3. Make any necessary changes and click Save.



Frequently asked questions

Could you explain the permission model of Microsoft Graph API?

The Microsoft Graph API uses OAuth which makes permissions more visible in the form of scopes

The Graph server will request the following delegated permissions:

  • Send email on behalf of users

  • Read and write user’s own and shared mailboxes

  • Sign in and read user profile

  • Sign users in

  • View user's basic profile

You can also check the permission scopes directly from within the add-in manifest XML:


Read more about how delegated permissions work at this page from Microsoft.

Full Graph permissions reference is available here.


What are delegated permissions?

With delegated permissions, an app is acting on the user's behalf. When user clicks the Hoxhunt Outlook add-in (which uses delegated permissions), the app is given a token that enables it to act under the user's authority within set and specific limits. The limits are defined by the scopes mentioned earlier. The token is only valid for a short period of time. Hoxhunt add-in will execute relevant actions based on your organisation’s Hoxhunt settings and the actions user takes in the UI. Hoxhunt never stores the token anywhere. The token will be lost forever once a reporting process has been completed.


Why are you using delegated permissions instead of app permissions?

Security-wise, delegated permissions are more convenient than app permissions. Delegated permissions require a logged-in user to act on behalf of, whereas app permissions can do "whatever , whenever", but cannot act on the user's behalf.


Why are we requiring the permissions we're requiring?

Send email on behalf of users
When reporting a possible malicious email – Hoxhunt add-in will use the requested permissions when reporting/forwarding a suspicious email from the users' mailbox to organizations redirect address (for Threat Forwarding)

Read and write user’s own and shared mailboxes
Used for reading the email being reported – be it a simulation email or a potential threat – as our add-in identifies the email being reported by the header information, we need this specific permission to be able to identify simulations, potential known threats, and safe emails (for Feedback Rules and instant feedback)

Sign in and read user profile
As we’re using delegated permissions instead of App permissions – we can always use the lowest necessary privileges – An application using delegated permissions requires a signed-in user to be present for making GraphAPI calls.


I have more questions

Please contact support@hoxhunt.com for more information about centralized deployment and the permissions required to use the Hoxhunt add-in. 

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request