Restricting access to Outlook add-in
As of right now there is no way to restrict who can install an add-in if a person knows the URL to the manifest file.
Of cause one could argue that the manifest file could be placed behind a login (either forms or normal Windows Auth), but still if a person somehow got hold of the manifest file (through an e-mail or what not), the person could still install the add-in.
It would make sense to add a section to the manifest file that could be used to describe characteristics about the users/domains that that are allowed to install the add-in.
Of cause this would have to be encrypted somehow (or some certificate thing), otherwise one could just download the manifest, change it and then install the add-in.
We are not planning on adding such entry in the manifest, reason being: it admins can control within their organization:
a. that add-ins from the store can be used or not.
b. deploy add-ins to specific (and intended) users or groups.
On top of the above, the add-in logic can also enforce such rule.
Hence we are not adding this functionality any time soon.
I mean even though this was declined I don't believe we currently have granular controls on add ins like in the decline text, "a. that add-ins from the store can be used or not." we can't choose add ins from the store but hide others.
What is the information in the manifest that you actually want to protect? For the most part the manifest is a collection of strings and URLs. I'd highly recommend the approach of securing the content of the URLs (except icons) behind an authentication mechanism to validate the users. Even if the manifest we're secured this would be a recommend path since the user who finds the URLs (say using browser debugging tools) would render all of the manifest security moot.