- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Basically, the cloud policy service is a group policy from the cloud, albeit with some limitations and differences compared to GPOs distributed via an on-premises Active Directory. Both configure desktop apps via keys in the registry. The cloud policy service is limited to the user branch and does not support all settings. It stores them on the path HKLM:\Software\Policies\Microsoft\Cloud\Office\16.0.
Neither kind of group policy is intended for Office 365 Business. The cloud service only supports Microsoft 365 apps for enterprise (formerly Office 365 ProPlus); the on-premises GPOs additionally cover the Office versions with a perpetual license. The cloud policy service can also apply some settings to Office web apps, and a subset of them can be applied for anonymous users.
In both environments, Microsoft supports its customers with best practices in the use of the Office settings. For local management, there is a separate security baseline for each Office version. Such a baseline is also part of the cloud policy service; it is integrated into the security policy advisor.
While computers running Microsoft Office must be members of an on-premises AD domain when using traditional GPOs, the cloud service expects only that users are logged into Microsoft 365 Apps for Enterprise with an Azure AD account. Accounts can be created either directly in AAD or synced from on-premises AD to the cloud.
The most important features and limitations to note regarding the Office Cloud policy service for Microsoft 365 Apps are:
- The cloud policy contains only user settings and not computer settings.
- Only single-value user policy settings are available.
- New cloud user settings are made available in real time and require no updating of ADMX/ADML template files.
- Users located in nested groups receive cloud user settings targeted for the parent group.
- A valid Microsoft 365 Apps for Enterprise license is needed; Office 365 Business is not supported.
- Cloud policy settings are stored in the Windows registry here: HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0
Configuring the Office Cloud policy service
To configure the Office Cloud policy service, navigate to the Apps Admin Center.
Logging into the Apps Admin Center
Once you have logged in with your organization account, you have the option of configuring Office policies and launching the Security Policy Advisor. Let's look at Office policies.
The Apps Admin Center allows configuring Office policies and accessing the Security Policy Advisor
After clicking Go to Microsoft 365 App policy management, click Create. It will start the process to begin creating and configuring the policy settings contained in the Office cloud policy service. It will also allow you to set the scope of the policy for your organization.
Create policy configuration in the Office cloud policy service
In Create policy configuration, the settings are intuitive and expected. You set the name of the policy, description, type, and group, and then actually configure the policy settings you want to include. The policy can be applied to users that exist in Azure Active Directory (Azure AD) backing Microsoft 365.
However, some policy types can also be enforced for users accessing Office on the web anonymously using the policy type: This policy configuration applies to users that access documents anonymously using Office web apps.
Configuring the new Office cloud policy
You will then set the scope of your policy by choosing the users and groups to which it will apply. Select and configure the policy settings included in the policy. As you can see below, there are 2139 policies at the time of this writing. The settings that are part of the Security Baseline from Microsoft are noted under the Recommendation column.
Selecting policy settings to apply in the Office cloud policy service
Once the policy settings have been configured, click the Create button to create the new Office cloud policy. After it has been created, you will be taken back to the Policy Management blade. Notice the additional options in the Policy Configurations section.
You can copy policies, reorder priorities, and remove them. The Copy and Reorder priority options are valuable when you have multiple policies and you want to change the order in which they are applied, or you want to copy settings from one policy to another.
Cloud policy created
Wrapping up
The Office cloud policy service allows application of user settings to end users accessing business-critical data in the Microsoft 365 Apps for Enterprise environment. Over two thousand policies can be configured to control user activities in the Microsoft SaaS environment.
Subscribe to 4sysops newsletter!
When a user logs into a device, the cloud security policy settings roam to whichever device the user is logged into and uses Microsoft 365 Apps for Enterprise. This provides a great way for IT admins to bolster the security of their Microsoft 365 environments by utilizing a distributed workforce.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Clear and concise information.
"The cloud policy service is limited to the user branch and does not support all settings. It stores them on the path HKLM:\Software\Policies\Microsoft\Cloud\Office\16.0." I think you mean to say HKCU (which you refer to later in the article).
Great article on this thanks. Recently configured this at my org: I really like the ease of applying security baselines, recommendations informed by telemetry (found one group of users using an Excel 95 workbook!), and the priority setting. (I wish MEM/Intune had a priority setting for Windows 10 Update rings as it would simpler than includes and excludes.)