Group policies play a central role in the management of Microsoft Office, especially for security configuration. The cloud policy service allows admins to customize Office apps via an M365 service, even if the PCs are not members of a domain.

Basically, the cloud policy service is a group policy from the cloud, albeit with some limitations and differences compared to GPOs distributed via an on-premises Active Directory. Both configure desktop apps via keys in the registry. The cloud policy service is limited to the user branch and does not support all settings. It stores them on the path HKLM:\Software\Policies\Microsoft\Cloud\Office\16.0.

Neither kind of group policy is intended for Office 365 Business. The cloud service only supports Microsoft 365 apps for enterprise (formerly Office 365 ProPlus); the on-premises GPOs additionally cover the Office versions with a perpetual license. The cloud policy service can also apply some settings to Office web apps, and a subset of them can be applied for anonymous users.

In both environments, Microsoft supports its customers with best practices in the use of the Office settings. For local management, there is a separate security baseline for each Office version. Such a baseline is also part of the cloud policy service; it is integrated into the security policy advisor.

While computers running Microsoft Office must be members of an on-premises AD domain when using traditional GPOs, the cloud service expects only that users are logged into Microsoft 365 Apps for Enterprise with an Azure AD account. Accounts can be created either directly in AAD or synced from on-premises AD to the cloud.

The most important features and limitations to note regarding the Office Cloud policy service for Microsoft 365 Apps are:

  • The cloud policy contains only user settings and not computer settings.
  • Only single-value user policy settings are available.
  • New cloud user settings are made available in real time and require no updating of ADMX/ADML template files.
  • Users located in nested groups receive cloud user settings targeted for the parent group.
  • A valid Microsoft 365 Apps for Enterprise license is needed; Office 365 Business is not supported.
  • Cloud policy settings are stored in the Windows registry here: HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0

Configuring the Office Cloud policy service ^

To configure the Office Cloud policy service, navigate to the Apps Admin Center.

Logging into the Apps Admin Center

Logging into the Apps Admin Center

Once you have logged in with your organization account, you have the option of configuring Office policies and launching the Security Policy Advisor. Let's look at Office policies.

The Apps Admin Center allows configuring Office policies and accessing the Security Policy Advisor

The Apps Admin Center allows configuring Office policies and accessing the Security Policy Advisor

After clicking Go to Microsoft 365 App policy management, click Create. It will start the process to begin creating and configuring the policy settings contained in the Office cloud policy service. It will also allow you to set the scope of the policy for your organization.

Create policy configuration in the Office cloud policy service

Create policy configuration in the Office cloud policy service

In Create policy configuration, the settings are intuitive and expected. You set the name of the policy, description, type, and group, and then actually configure the policy settings you want to include. The policy can be applied to users that exist in Azure Active Directory (Azure AD) backing Microsoft 365.

However, some policy types can also be enforced for users accessing Office on the web anonymously using the policy type: This policy configuration applies to users that access documents anonymously using Office web apps.

Configuring the new Office cloud policy

Configuring the new Office cloud policy

You will then set the scope of your policy by choosing the users and groups to which it will apply. Select and configure the policy settings included in the policy. As you can see below, there are 2139 policies at the time of this writing. The settings that are part of the Security Baseline from Microsoft are noted under the Recommendation column.

Selecting policy settings to apply in the Office cloud policy service

Selecting policy settings to apply in the Office cloud policy service

Once the policy settings have been configured, click the Create button to create the new Office cloud policy. After it has been created, you will be taken back to the Policy Management blade. Notice the additional options in the Policy Configurations section.

You can copy policies, reorder priorities, and remove them. The Copy and Reorder priority options are valuable when you have multiple policies and you want to change the order in which they are applied, or you want to copy settings from one policy to another.

Cloud policy created

Cloud policy created

Wrapping up ^

The Office cloud policy service allows application of user settings to end users accessing business-critical data in the Microsoft 365 Apps for Enterprise environment. Over two thousand policies can be configured to control user activities in the Microsoft SaaS environment.

Subscribe to 4sysops newsletter!

When a user logs into a device, the cloud security policy settings roam to whichever device the user is logged into and uses Microsoft 365 Apps for Enterprise. This provides a great way for IT admins to bolster the security of their Microsoft 365 environments by utilizing a distributed workforce.

+2
2 Comments
  1. Clear and concise information.

    0

  2. Doug H. 2 weeks ago

    "The cloud policy service is limited to the user branch and does not support all settings. It stores them on the path HKLM:\Software\Policies\Microsoft\Cloud\Office\16.0." I think you mean to say HKCU (which you refer to later in the article).

    Great article on this thanks. Recently configured this at my org: I really like the ease of applying security baselines, recommendations informed by telemetry (found one group of users using an Excel 95 workbook!), and the priority setting. (I wish MEM/Intune had a priority setting for Windows 10 Update rings as it would simpler than includes and excludes.)

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account