By Brien Posey and Azure Security News
Microsoft has made it a lot easier to apply policy settings to the Office 365 Pro Plus applications, which Microsoft has renamed Microsoft 365 Apps for Enterprise. Previously, the preferred method for applying security policies to the Office applications was to use group policy settings. While this technique worked, it had one major shortcoming: group policies only applied to domain jointed devices. As an alternative, IT pros can now use the Microsoft 365 Office cloud policy service on devices running the Microsoft Office apps, even if those devices are not domain-joined.
Where to find and configure Microsoft 365 cloud policy
The Office cloud policy is exposed through the Microsoft 365 Apps admin center, which you can see in the figure below. If you have never heard of the Apps admin center, it may be because Microsoft has yet to add it to Microsoft 365’s list of admin centers (at least as of the time when I am writing this). You can access the Apps admin center here.
To create a new security policy, you will need to open the Apps admin center shown above and then click on Customization, followed by Policy Management. When you do, you should see a screen like the one shown in the following image, indicating that you do not yet have a policy configuration. Go ahead and click the Create button to get started with creating your first policy configuration.
Before I get too far into showing you how to set up a Microsoft 365 cloud policy configuration, there are a few limitations that you need to know about. The first limitation is that the policy configuration will not work with Office Professional Plus 2019 or Office Standard 2019. It’s intended solely for use with Microsoft 365 Apps for Enterprise or Apps for Business. Incidentally, those running Microsoft 365 Apps for Business will find that they can only use settings related to privacy. You will need the Enterprise version to access the other settings. And finally, a few Microsoft 365 plans do not support the cloud policy service at all. These plans include Office 365 Germany, Office 365 GCC, Office 365 GCC High, and DoD.
Once you click on the Create button, you will be taken to a screen like the one shown below. As you can see in the image, the first thing that you will need to do is enter a name for the policy that you are creating. Even though it is not required, it is also a good idea to enter a policy description. This can help others within your organization to understand why the policy was created and what it does.
Once you have provided a policy name and a description, the next thing that you will need to do is to specify the type of policy that you are creating. To do so, just click on the Select Type option. When you do, the page will reveal an option to select the type for this policy configuration. You can choose between applying the policy configuration to users or applying the policy configuration to users who access documents anonymously using the Office Web apps. Keep in mind that you do not necessarily have to choose between one type of policy or the other. Microsoft 365 allows you to create multiple policies, which means that you can create two separate policies — one of each type — if you want to.
The next step in the process varies a bit depending on which type of policy you are creating. If you have chosen to create a user policy, you will need to click on the Select Group option and choose the group you want to associate with the policy. If, on the other hand, you are creating a policy that will be applied to anonymous users, then the assigned group will also be anonymous, and there is no need for you to make a selection.
Groups must exist within Azure AD
This brings up an important point. You can only choose groups that exist within Azure AD. Those groups, however, can be either dynamic or assigned, and you can use security groups or mail-enabled security groups. Regardless of which type of group you choose to use, you will need to have the appropriate permissions within Azure Active Directory. Specifically, you will need to be a global administrator, a security administrator, or an Office Apps administrator.
The last step in the process is to configure the actual policy that will be applied to the group members. When you click on the Configure Policies box, the interface will display thousands of different policies that you can choose from. As you can see in the next image, you can search for policy by name, which means you don’t have to sort through all of the policies manually.
The policy shown in the screen capture above is roughly equivalent to group policy settings. If you click on one of the policies, you will be taken to a screen that shows you a description for the policy (or policy setting) and a drop-down list that you can use to configure the policy. As you can see in the next figure, policies can be enabled, disabled, or not configured at all, just as group policy settings can be enabled, disabled, or not configured.
When you are done configuring any of the policies you plan on using, just click the Create button, and your new policy configuration will be created. As previously noted, it is possible to create multiple policy configurations, which is what you would typically do if you needed to map policy configurations to different groups or if you wanted to have policy configurations for both groups and for anonymous users. Because more than one policy configuration might apply to a user, you have the option of prioritizing the policy configurations that you create.