Attempting to install an add-in with the "Add from the Office Store" feature with an Exchange 2016 mailbox fails with: “Due to the level of permissions required, your administrator has not allowed you to install this app."

Problem

You have an Exchange Server 2016 CU18 (Version 15.1 Build 2106.2)‎ environment and noticed that when users attempt to install an add-in with the Add from the Office Store feature, it fails with the error:

Due to the level of permissions required, your administrator has not allowed you to install this app.

Attempting to repeat the same procedure through the Exchange Server 2016 ECP’s Organization > add-ins fails with the error:

The app couldn’t be downloaded.

Reviewing the available documentation from Microsoft does not suggest what may be the issue:

Add-in access and installation
https://docs.microsoft.com/en-us/exchange/add-ins-for-outlook-2013-help#add-in-access-and-installation

Specify the administrators and users who can install and manage add-ins for Outlook in Exchange 2013
https://docs.microsoft.com/en-us/exchange/specify-who-can-install-and-manage-add-ins-2013-help

Manage role groups
https://docs.microsoft.com/en-us/exchange/manage-role-groups-exchange-2013-help

Solution

While the documentation wasn’t of much help for a resolution, the following forum discussion where a member presented 4 registry keys to implement did:

https://social.technet.microsoft.com/Forums/en-US/089ec657-bb58-4017-a62b-54a6151657a0/cant-add-office-store-addins-to-exchange-2016-onprem?forum=Exch2016GD

Hey guys,

I had a problem installing any app from the office store as well. In my case my Exchange 2016 was configured to still talk TLS 1.0 instead of TLS 1.2 though TLS 1.2 was already enabled (but not set to default). Obviously Microsoft does no longer accept TLS 1.0.

Therefore I changed some configuration in the registry of my Exchange Nodes by adding some DWORDS. That did the trick.

WinHTTP

WinHTTP provides a high-level server interface to the HTTP/1.1 Internet Protocol that applications and services running on Windows Server can use when establishing secure encrypted HTTPS sessions. Exchange uses it extensively. To ensure that WinHTTP is using TLS 1.2 make sure the following Registry keys are set:

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
“DefaultSecureProtocols”:dword:00000a80

2. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
“DefaultSecureProtocols”:dword:00000a80

.NET Framework

The .NET Framework is a core set of code libraries and runtimes that are used by many Windows Server-based services and Applications, including Exchange Server. It’s essential to ensure that the .NET Framework is using TLS 1.2 to encrypt and secure the many API points it provides and uses to communicate. To do this makes sure the following registry keys are set:

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
“SystemDefaultTlsVersions”=dword:00000001

2. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
“SystemDefaultTlsVersions”=dword:00000001

With the above registry keys in place, adding the add-in as the user continued to display the error:

Due to the level of permissions required, your administrator has not allowed you to install this app.

However, adding the add-in via the Exchange Server 2016 ECP was successful:

With the add-in added to the organization, users can now choose to install them from the list: