Outlook add-in setup

The ThouShaltNotClick Outlook add-in puts a real-time trust score, link checker, and one-click report buttons inside Outlook itself — web, desktop, and mobile. Staff can read an email and see a verdict without leaving their inbox. This page shows IT admins how to deploy the add-in tenant-wide (or to specific groups) from the Microsoft 365 admin center.

ℹ️

Sideload time is about 5–10 minutes. Microsoft handles the rollout to user mailboxes within 6–24 hours after you finish the steps below; some clients pick it up immediately once the user restarts Outlook.

What you'll need

A Microsoft 365 tenant with mailboxes (any plan that includes Outlook works).
Global Administrator or Exchange Administrator role.
The TSNC manifest file: www.thoushaltnotclick.com/outlook-manifest.xml

Step-by-step: Deploy the add-in

1
Download the manifest
Right-click this link and choose Save link as… → save as outlook-manifest.xml. Don't open it in your browser first — some browsers will rewrite the XML.
2
Open the M365 admin center
Sign in to admin.microsoft.com.
3
Navigate to Integrated apps
In the left nav, expand Settings → click Integrated apps. If you don't see it, make sure your role includes “Global Reader” or higher.
4
Upload custom apps
Click Upload custom apps at the top. A wizard opens.
5
Pick "Office Add-in" and "Provide manifest file"
Choose the radio buttons for an Office Add-in, then for “I have a manifest file”.
6
Upload the manifest
Click Choose File and pick the outlook-manifest.xml you saved in step 1. Click Validate — you should see a green checkmark and the add-in name “ThouShaltNotClick”.
7
Choose who gets it
The next screen asks who to deploy to:
- Entire organization — everyone with a mailbox.
- Specific users/groups — recommended for a phased rollout. Pick a security group like “TSNC Pilot”.
- Just me — install it only on your own account, useful for testing first.
8
Accept permissions
The add-in requests ReadWriteMailbox permission. This lets it read the email being viewed and show notifications on it — it does not send email or modify your mailbox structure.
9
Click Deploy
Microsoft now pushes the add-in to the chosen mailboxes. Allow up to 6 hours for it to appear — web Outlook usually picks it up within minutes, desktop Outlook may require a restart.

What staff will see

Once deployed, three buttons appear in the ribbon when an email is open:

TSNC Panel — opens the analysis sidebar with trust score, AI summary, red flags, and per-link scans.
Report Phishing — one-click submit. The email is reported to your school admin, and a small green banner appears on the email confirming.
Mark as Safe — one-click confirmation that this email is legitimate. Useful for training the sender-reputation scorer.

First time staff open the panel they'll be asked to sign in once. After that, the token is cached securely — no re-auth on every email.

Troubleshooting

The add-in doesn't appear in Outlook after deployment.+

Two common causes:

The user's mailbox hasn't synced yet. Microsoft says up to 6 hours; in practice web Outlook is near-instant, desktop usually within an hour after restart.
The user is on an Outlook build older than 2016. Mailbox API 1.10 (which we require) is present in Outlook 2016 and later, and all current Outlook on the web / Outlook for iOS & Android. Earlier desktop builds won't see it.

Validation fails with 'manifest schema invalid'.+

Almost always caused by saving the manifest as something other than UTF-8 XML. Re-download the manifest using right-click → Save link as… rather than opening it and using Save page as. Don't edit it in Word or Excel.

Staff see 'TSNC needs to be reinstalled' or the panel won't open.+

This usually means the manifest version on the M365 side is outdated. We bump the manifest version with each release and re-publish; you can pull the latest by uploading the manifest file again from this page (Microsoft handles the version compare).

Can we deploy to specific groups instead of the whole tenant?+

Yes — in step 7 above, choose “Specific users/groups” and select a security group. We recommend a small “TSNC Pilot” group of 5–10 staff for the first week, then expanding tenant-wide once feedback looks good.

Does this replace the browser extension?+

No — they're complementary. The browser extension scans every link on every page across the whole web (Gmail, Slack, etc.); the Outlook add-in is purpose-built for staff who live in Outlook and want the verdict without switching tabs. Most schools deploy both.

Privacy & data handling

The add-in only reads the email the user is currently viewing, only when they open the panel or click a report button. We send: sender, subject, body text, and link URLs. We do not read other emails in the mailbox, attachments, calendar, or contacts. The same data-handling rules apply as the rest of TSNC — see the Trust Center for full details.