- Manage security baselines and compliance policies using Intune - Mon, Nov 29 2021
- Block the installation of USB devices on Windows PCs using Intune - Tue, Nov 23 2021
- Passwork: An easy-to use password manager for the enterprise - Thu, Nov 18 2021
Basically, the cloud policy service is a group policy from the cloud, albeit with some limitations and differences compared to GPOs distributed via an on-premises Active Directory. Both configure desktop apps via keys in the registry. The cloud policy service is limited to the user branch and does not support all settings. It stores them on the path HKLM:\Software\Policies\Microsoft\Cloud\Office\16.0.
Neither kind of group policy is intended for Office 365 Business. The cloud service only supports Microsoft 365 apps for enterprise (formerly Office 365 ProPlus); the on-premises GPOs additionally cover the Office versions with a perpetual license. The cloud policy service can also apply some settings to Office web apps, and a subset of them can be applied for anonymous users.
In both environments, Microsoft supports its customers with best practices in the use of the Office settings. For local management, there is a separate security baseline for each Office version. Such a baseline is also part of the cloud policy service; it is integrated into the security policy advisor.
While computers running Microsoft Office must be members of an on-premises AD domain when using traditional GPOs, the cloud service expects only that users are logged into Microsoft 365 Apps for Enterprise with an Azure AD account. Accounts can be created either directly in AAD or synced from on-premises AD to the cloud.
The most important features and limitations to note regarding the Office Cloud policy service for Microsoft 365 Apps are:
- The cloud policy contains only user settings and not computer settings.
- Only single-value user policy settings are available.
- New cloud user settings are made available in real time and require no updating of ADMX/ADML template files.
- Users located in nested groups receive cloud user settings targeted for the parent group.
- A valid Microsoft 365 Apps for Enterprise license is needed; Office 365 Business is not supported.
- Cloud policy settings are stored in the Windows registry here: HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0
Configuring the Office Cloud policy service ^
To configure the Office Cloud policy service, navigate to the Apps Admin Center.
Once you have logged in with your organization account, you have the option of configuring Office policies and launching the Security Policy Advisor. Let's look at Office policies.
After clicking Go to Microsoft 365 App policy management, click Create. It will start the process to begin creating and configuring the policy settings contained in the Office cloud policy service. It will also allow you to set the scope of the policy for your organization.
In Create policy configuration, the settings are intuitive and expected. You set the name of the policy, description, type, and group, and then actually configure the policy settings you want to include. The policy can be applied to users that exist in Azure Active Directory (Azure AD) backing Microsoft 365.
However, some policy types can also be enforced for users accessing Office on the web anonymously using the policy type: This policy configuration applies to users that access documents anonymously using Office web apps.
You will then set the scope of your policy by choosing the users and groups to which it will apply. Select and configure the policy settings included in the policy. As you can see below, there are 2139 policies at the time of this writing. The settings that are part of the Security Baseline from Microsoft are noted under the Recommendation column.
Once the policy settings have been configured, click the Create button to create the new Office cloud policy. After it has been created, you will be taken back to the Policy Management blade. Notice the additional options in the Policy Configurations section.
You can copy policies, reorder priorities, and remove them. The Copy and Reorder priority options are valuable when you have multiple policies and you want to change the order in which they are applied, or you want to copy settings from one policy to another.
Wrapping up ^
The Office cloud policy service allows application of user settings to end users accessing business-critical data in the Microsoft 365 Apps for Enterprise environment. Over two thousand policies can be configured to control user activities in the Microsoft SaaS environment.
Subscribe to 4sysops newsletter!
When a user logs into a device, the cloud security policy settings roam to whichever device the user is logged into and uses Microsoft 365 Apps for Enterprise. This provides a great way for IT admins to bolster the security of their Microsoft 365 environments by utilizing a distributed workforce.