If you have a Microsoft 365 business subscription, you can use the Microsoft 365 Apps admin center to configure Office remotely. In addition, you can receive reports about your Office installations.

If you have ever used the Office Deployment tool, chances are that you have also tried to create a custom XML file to control its behavior. Microsoft offers a website to assist with that at config.office.com. It now resembles a wizard and allows you to easily make a custom XML file without worrying about syntax.

Microsoft 365 Apps admin center

Microsoft 365 Apps admin center

You can create or import an existing XML file and update it.

Create custom XML for ODT

Create custom XML for ODT

Scroll down the page to work through each section, exclude apps, or set the update channel and a specific version to deploy.

XML options for ODT

XML options for ODT

However, this is not the only thing the Microsoft 365 admin center is good for. If you sign into the site using your Microsoft 365 Administrator credentials, a lot of additional functionality is available to you to customize and monitor your Office applications and device health.

Microsoft 365 Apps admin center setup

Any office application that is signed into your tenant will report to this platform and can be controlled using policies. Below, we will walk through an overview of what each section allows you to do. The system does require setup, and several components, such as OneDrive monitoring, take a few days to start collating reports.

Once you're signed in, go to Setup in the left menu. If this is the first time you have signed in, you may be shown a screen saying setup is in progress. It says you may need to wait 10 minutes to 24 hours.

M365 Apps admin setup page

M365 Apps admin setup page

Once setup is completed, the setup section will show you a tenant association key and an inventory clean-up selector.

Tenant association key

The tenant association key was previously pushed out to devices along with a registry value (or GPO) 'SyncAdminReports.' This is being replaced by a new policy setting, as you will see later. It is now automatically retrieved by a device if it meets the requirements. You can read more about those requirements here.

Tenant association key

Tenant association key

Inventory cleanup

Inventory cleanup is used to keep the device inventory fresh. Any device that has not reported for a set period will be removed. By default, this is 90 days. After 90 days, the inventory data will be removed; it won't do anything to the device itself.

Moving back to the top of the page, we can start going through the available options.

Servicing

Under Servicing, we have the option to configure update policies for the Microsoft 365 Apps in our tenant. These policies will apply to any application that a member of the tenant signs into, and take precedence over any policies set in other management tools. This may be something to consider if you are using Intune.

The servicing profile is split into several sections. The main one requiring attention during configuration is Settings.

Servicing device selection

Servicing device selection

This is where you will configure how to target devices in your environment, and any exclusions you need to apply. For example, recently, a senior manager wanted to move their devices to an insider build of Office, so we needed to exclude their devices from our servicing policy. By creating a group in Azure AD for their devices (dynamic group by device ownership), we were able to easily target and exclude them.

You can also configure rollout waves by group targeting and set exclusion dates where no updates will be deployed. Possibly useful during tax season?

Under Devices, when your devices have checked in, you will see the device name and the version number of Office applications. You can also configure rollback groups if you need to roll back to a previous version.

Device health screen

Device health screen

Office Deployment Tool XML files

Under Device Configuration, we can create XML files to store for various purposes or choose from preexisting ones provided by Microsoft. These are not pushed out to any clients and simply serve as a repository of XML files available for download. These XML files are useful for controlling which apps and which SKU are deployed to a device.

For example, you may have a team that needs to have Access deployed to its machines, but you do not want to install it on all machines. You can create two XML files: one that installs Access and one that excludes it.

Alternatively, you may have a team that needs Project or Visio deployed on its machines.

Storing these XML files centrally in this portal means that they are easily accessible to any of the technicians who need them.

Policies

Under Policy Management, we can define settings for our Office applications.

Manage policy options

Manage policy options

Policies can be applied to specific users or to all users in the organization. I suggest testing with a small batch of users before rolling anything out to the whole organization. Policies are applied in priority order when conflicts arise.

There are over 2000 policy settings for all Office Apps that can be configured. Luckily, filters are available to narrow down what you may want to look at. I have to say that I found this section quite confusing.

In the Area column, notice that some settings say 'Security Baseline.' They also say 'Not configured,' so I didn't know if that meant the settings were configured to a baseline, or they were part of the baseline but not configured. I decided it was the latter. Where I wanted to copy the baseline policy, I copied what was visible. So in this example, I set the policy to Enabled, with Load only Outlook Controls.

Set baseline policy settings

Set baseline policy settings

There are 133 policy settings that have baseline tagged onto them, so grab yourself a flask of coffee and dive in.

Health

Under Health, you can see the health of your apps and how many errors have been logged per application. This is useful if you are monitoring the rollout of a new version of Office.

M365 Apps health

M365 Apps health

M365 Apps metrics

M365 Apps metrics

You can see information regarding security update status and monitor OneDrive sync health if your OneDrive clients are on the production or insiders ring. There is even a section to monitor the Office add-ins running in your organization and the impact they have on loading times.

OneDrive sync health

OneDrive sync health

M365 Apps health add ins

M365 Apps health add ins

Enabling inventory and health reporting

This leads us nicely to how to set this up on the client. As mentioned above, you previously used the tenant association key in your policy to tie your device to your organization.

It seems Microsoft has made changes to this functionality, and with the new builds of OneDrive, a new policy setting will be available.

Subscribe to 4sysops newsletter!

Old Setting Value Type
SyncAdminReports <tenant association key> String
GPOSetUpdateRing 0, 1, or 2 DWORD
New Setting Value Type
EnableSyncAdminReports 1 DWORD
GPOSetUpdateRing 4, 5, or 0 DWORD

Further reading

1 Comment
  1. Ed Bose 4 weeks ago

    Hi Robert,

    Nice write up!
    What roles grant or limit access to this portal?

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account