EPC Group - Enterprise Microsoft AI, SharePoint, Power BI, and Azure Consulting
Clutch Top Power BI & Data Solutions Company 2026, G2 High Performer, Momentum Leader, Leader Awards
BlogContact
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌

EPC Group

Enterprise Microsoft consulting with 28+ years serving Fortune 500 companies.

(888) 381-9725
contact@epcgroup.net
4900 Woodway Drive - Suite 830
Houston, TX 77056

Follow Us

Solutions

  • All Services
  • Microsoft 365 Consulting
  • AI Governance
  • Azure AI Consulting
  • Cloud Migration
  • Microsoft Copilot
  • Data Governance
  • Microsoft Fabric
  • vCIO / vCAIO Services

Industries

  • All Industries
  • Healthcare IT
  • Financial Services
  • Government
  • Education
  • Teams vs Slack

Power BI

  • Case Studies
  • 24/7 Emergency Support
  • Dashboard Guide
  • Gateway Setup
  • Premium Features
  • Lookup Functions
  • Power Pivot vs BI
  • Treemaps Guide
  • Dataverse
  • Power BI Consulting

Company

  • About Us
  • Our History
  • Microsoft Gold Partner
  • Case Studies
  • Testimonials
  • Blog
  • Resources
  • Contact

Microsoft Teams

  • Teams Questions
  • Teams Healthcare
  • Task Management
  • PSTN Calling
  • Enable Dial Pad

Azure & SharePoint

  • Azure Databricks
  • Azure DevOps
  • Azure Synapse
  • SharePoint MySites
  • SharePoint ECM
  • SharePoint vs M-Files

Comparisons

  • M365 vs Google
  • Databricks vs Dataproc
  • Dynamics vs SAP
  • Intune vs SCCM
  • Power BI vs MicroStrategy

Legal

  • Sitemap
  • Privacy Policy
  • Terms
  • Cookies

© 2026 EPC Group. All rights reserved.

Back to Blog

Microsoft Intune Admins: Important Update on Intune MAM for Outlook iOS Add-Ins

Errin O\'Connor
December 2025
8 min read

Microsoft has introduced significant changes to how Intune Mobile Application Management (MAM) policies interact with Outlook for iOS add-ins, and Intune administrators need to understand these changes to maintain both security and functionality. This update affects organizations that use app protection policies to secure corporate email on iOS devices while also allowing users to leverage Outlook add-ins for productivity.

Understanding the MAM and Outlook Add-In Change

Intune MAM policies protect corporate data within managed applications without requiring full device enrollment. For Outlook on iOS, MAM policies enforce controls such as PIN requirements, copy/paste restrictions, data transfer limitations, and encryption of app data. Outlook add-ins extend Outlook's functionality by allowing third-party integrations directly within the email client -- tools like Zoom for scheduling, Salesforce for CRM context, and DocuSign for signing documents.

The challenge has been that Outlook add-ins on iOS run within the Outlook app context but may transfer data to third-party services in ways that conflict with MAM data protection policies. Microsoft's update changes how these add-ins interact with MAM policies, giving administrators more granular control over which add-ins are permitted and how they handle corporate data.

What Changed for Intune Admins

The key changes that Intune administrators need to be aware of include:

  • Add-in data transfer controls -- MAM policies can now control whether Outlook add-ins are allowed to send corporate data to unmanaged services. This includes blocking add-ins from accessing message content, calendar data, and contact information unless the add-in meets your organization's security criteria.
  • Add-in allow/block lists -- Administrators can configure which specific add-ins are permitted within MAM-protected Outlook. Instead of an all-or-nothing approach, you can now allow approved add-ins (like your organization's Salesforce integration) while blocking unapproved ones.
  • Enhanced app protection policy settings -- New settings in Intune app protection policies give administrators the ability to manage Outlook add-in behavior as part of the broader MAM configuration. These settings appear in the Data Protection section of the app protection policy.
  • Conditional Access integration -- Add-in access can be tied to Conditional Access policies, ensuring that add-ins only function when the device meets compliance requirements and the user is authenticated with MFA.

Impact on Your Organization

The practical implications of this update depend on how your organization uses Outlook add-ins and MAM policies:

  • Organizations with strict DLP requirements -- If you are in healthcare (HIPAA), finance (SOC 2), or government (FedRAMP), you likely have MAM policies that restrict data transfer from managed apps. This update gives you the ability to selectively allow approved add-ins without compromising your data protection posture.
  • Organizations using CRM and productivity add-ins -- If your sales team relies on Salesforce, HubSpot, or Dynamics 365 add-ins in Outlook, you need to test these add-ins against the updated MAM policies to ensure they continue to function correctly.
  • BYOD environments -- For organizations using MAM without device enrollment (the most common BYOD approach), this update is particularly relevant because add-in behavior is managed at the app level rather than the device level.
  • Organizations blocking all add-ins -- If your current policy blocks all Outlook add-ins, you may want to revisit this decision. The new granular controls allow you to selectively enable high-value add-ins while maintaining security.

How to Configure the Updated Policies

Follow these steps to review and configure the updated MAM policies for Outlook add-ins:

  • Step 1: Review current app protection policies -- In the Intune admin center, navigate to Apps > App protection policies. Open your existing iOS app protection policy for Outlook and review the current Data Protection settings.
  • Step 2: Evaluate add-in requirements -- Inventory the Outlook add-ins currently used by your organization. Categorize them as business-critical, nice-to-have, or unnecessary. For each critical add-in, identify what data it accesses and where it sends that data.
  • Step 3: Configure add-in controls -- Update your app protection policy to explicitly allow or block specific add-ins. Use the Organizational allowed/blocked add-ins settings to create your allow list or block list.
  • Step 4: Test with pilot users -- Deploy the updated policy to a pilot group and verify that approved add-ins function correctly while blocked add-ins are properly restricted. Test both new installations and existing add-in usage.
  • Step 5: Monitor and adjust -- Use Intune app protection logs and user feedback to identify any issues with the updated policies. Adjust allow/block lists as needed based on user requirements and security findings.

Security Best Practices for Outlook Add-Ins

Based on our 28+ years of enterprise security consulting, we recommend the following best practices for managing Outlook add-ins in an Intune MAM environment:

  • Default to deny -- Block all add-ins by default and selectively allow only those that have been vetted by your security team. This is especially important for regulated industries.
  • Vet add-in data handling -- Before approving an add-in, review its privacy policy and data handling practices. Understand what data it accesses, where it stores data, and whether it shares data with third parties.
  • Align with existing DLP policies -- Ensure your Outlook add-in controls are consistent with your broader Data Loss Prevention (DLP) policies in Microsoft Purview. An add-in that bypasses DLP rules creates a compliance gap.
  • Regular add-in audits -- Review your approved add-in list quarterly. Remove add-ins that are no longer needed, and re-evaluate the security posture of existing add-ins as vendors update their products.
  • User communication -- Inform users about which add-ins are approved and how to request approval for new add-ins. Clear communication reduces shadow IT behavior and help desk tickets.

How EPC Group Can Help

EPC Group has 28+ years of experience managing Intune MAM policies for enterprises in regulated industries. Our team can help you navigate this update and optimize your Outlook security posture:

  • MAM policy assessment -- We review your current app protection policies, identify gaps in add-in controls, and recommend configuration changes aligned with your security and compliance requirements.
  • Add-in security audit -- We evaluate the security posture of your organization's Outlook add-ins, identifying data handling risks and recommending an approved add-in list.
  • Policy implementation and testing -- We configure the updated MAM policies, test them with pilot users, and validate that approved add-ins function correctly while data protection is maintained.
  • Compliance alignment -- For HIPAA, SOC 2, and FedRAMP environments, we ensure your MAM and add-in policies meet regulatory audit requirements with proper documentation.
  • Ongoing monitoring -- We provide managed services to monitor MAM policy compliance, track add-in usage patterns, and alert on potential security violations.

Secure Your Outlook Mobile Experience

Need help configuring Intune MAM policies for Outlook add-ins? Our mobile security specialists can audit your current policies, implement the latest controls, and ensure compliance with your regulatory requirements.

Schedule a ConsultationCall (888) 381-9725

Frequently Asked Questions

Does this update affect Outlook on Android as well?

The primary focus of this update is Outlook for iOS, as iOS add-ins have a different execution model than Android. However, Microsoft is aligning MAM capabilities across both platforms. Android administrators should monitor the Intune release notes for similar add-in control updates. The app protection policy settings for Android may receive comparable features in subsequent updates.

Will existing add-ins stop working after this update?

Not automatically. If your current MAM policy does not explicitly block add-ins, existing add-ins will continue to function. However, if you have strict "Send org data to other apps: Policy managed apps only" settings, some add-ins may be affected depending on how they handle data transfer. We recommend testing your existing add-ins against your current policies in a pilot environment before making changes.

Can I manage add-ins for users without device enrollment?

Yes. This is one of the key benefits of MAM-based add-in controls. Because MAM policies apply at the application level rather than the device level, you can manage Outlook add-ins on personal BYOD devices that are not enrolled in Intune. Users install Outlook from the App Store, sign in with their corporate account, and the MAM policy (including add-in controls) is applied automatically.

How do I identify which add-ins my users have installed?

You can view add-in usage through the Microsoft 365 admin center under Settings > Integrated apps, and through Exchange Online PowerShell using the Get-App cmdlet. For MAM-specific reporting, Intune app protection logs capture add-in activity on managed devices. Additionally, Microsoft 365 usage reports provide insight into which add-ins are most commonly used across your organization.

What if a user needs an add-in that is currently blocked?

Establish a formal add-in request process. Users should submit a request through your IT service desk, providing the add-in name, business justification, and vendor information. Your security team then evaluates the add-in's data handling practices, privacy policy, and compliance posture before approving or denying the request. If approved, the add-in is added to the allow list in your Intune app protection policy.