Microsoft introduced Office cloud policy service for Office 365 ProPlus

Microsoft made Office cloud policy service for Office 365 ProPlus generally available and supported for all Office 365 ProPlus customers.

The Office cloud policy service is a cloud-based service that enables you to enforce policy settings for Office 365 ProPlus on a user’s device, even if the device isn’t domain joined or otherwise managed. The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.

The Office cloud policy service is part of a portal for managing Office 365 ProPlus and includes many of the same user-based policy settings that are available when using Group Policy on Windows Server.

Office client policy service manages only user-based policies for Office 365 ProPlus irrespective of what device you use .  Please read the FAQ section at bottom of this post to see the differences between office cloud policy Vs GPO.

What are the requirements for using the Office cloud policy service ?

  • At least Version 1808 of Office 365 ProPlus (not particular about monthly or semi annual as long as it meet proplus version 1808 ) &
    higher of Project Online Desktop Client or Visio Online Plan 2 (previously named Visio Pro for Office 365).
  • Office cloud policy service can’t be applied to other commercial versions of Office that use Click-to-Run, such as Office 365 Business, Office Professional Plus 2019, or Office Standard 2016.
  • User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD-based account.
  • Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
  • To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Desktop Analytics Administrator.

The Office cloud policy service isn't available to the following:

  • Customers with Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD plans.
  • Tenants located in Australia, Brazil, Germany, India, or South Korea.

Once you meet the requirements that are listed above ,we will start creating creating a policy configuration and deploy to users:

  • Build a policy configuration that includes the policies you want to enforce, configured for your organization’s needs.  The service is always up to date and includes the latest policies as they are released.
  • Target a group of users by assigning the policy configuration to a specific AAD security group.
  • Policies automatically enforced as users sign into Office 365 ProPlus.
  • Health reporting available for each of the policy configurations, letting administrators know that the policies are getting deployed to users and their devices.

Login to https://config.office.com/officeSettings/

  1. On the Office Customization page, choose Got to Office policy management.

image

If there are no policy configurations created and is the first time, you will be promoted with following screen.

image

On the Policy configurations page, choose Create.

On the Create policy configuration page, do the following:

  • Enter a name.
  • Provide a description (optional).
  • Select the AAD-based security group that is assigned to the policy configuration. Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.
  • Configure the policy settings to be included in the policy configuration. You can search on the policy setting name to find the policy setting that you want to configure. You can also filter on the application and whether the policy has been configured

As you can see below ,there are 1334 policy settings available .

image

For now ,i  will search with outlook and choose empty the deleted items folder when outlook closes . (this is only for testing)

image

Choose true to enable this setting.

image

Once you are done with the policy ,you will see the following screen allowing to change the order of priority and copy from option .

image

To change a policy configuration, select the policy configuration on the Policy configurations page, and then choose Edit. Make the appropriate changes and then choose Save. You can find the configured policies by filtering on status.

If you want to create a new policy configuration that is similar to an existing policy configuration, select the existing policy configuration on the Policy configurations page, and then choose Copy from. Make the appropriate changes and then choose Save

we now have created the cloud policy service and applied to AD sec group . We will now monitor the results on outlook for the config that we did.

How to monitor the settings that are applied to users :

Policy settings from the Office cloud policy service are stored in the registry under HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0 .

Note:  Only user-based policy settings are available. Computer-based policy settings aren’t available.

The Click-to-Run service used by Office 365 ProPlus checks with the Office cloud policy service on a regular basis to see if there are any policy configurations that pertain to the user. If there are, then the appropriate policy settings are applied and take effect the next time the user opens the Office app, such as Word or Excel.

For example, when a user signs into Office on a device for the first time, a check is immediately made to see if there is a policy configuration that pertains to the user. If the user isn't a member of an AAD group that is assigned a policy configuration, then another check is made again in 24 hours. If the user is a member of an AAD group that is assigned a policy configuration, then the appropriate policy settings are applied and a check is made again in 90 minutes. In the event of an error, a check is made when the user opens an Office app, such as Word or Excel. If no Office apps are running when the next check is scheduled, then the check will be made the next time the user opens an Office app.

If the user is a member of multiple AAD groups with conflicting policy settings, priority is used to determine which policy setting is applied. The highest priority is applied, with “0” being the highest priority that you can assign. You can set the priority by choosing Reorder priority on the Policy configurations page.

Also, policy settings implemented by using Office cloud policy service take precedence over policy settings implemented by using Group Policy on Windows Server, as well as taking precedence over preference settings or locally applied policy settings.

I logged into my windows 10 PC that has proplus 1808 semi annual and verified the registry but there is no cloud folder as such.

image

Registry location:

image

I need to wait for sometime to get the changes applied on my device in my user profile. Once the policies are applied then,the content inside the deleted folder will be emptied after outlook closes.

After 24 hours of waiting ,the policies were applied successfully .As you can see below ,emptytrash is set with value 1

image

When the policy settings are applied ,next time ,when you close  outlook ,you will be prompted with the following prompt:

if you choose Yes ,all the emails in deleted folder will be removed before outlook closed.

image

This is so cool and there are many other settings to try out.

Troubleshooting tips:

If the expected policies haven't been correctly applied to a user's device, try the following:

  • Make sure the user is signed into Office 365 ProPlus, has activated it, and has a valid license.
  • Make sure the user is part of the appropriate security group.
  • Check the priority of the policy configurations in OCPS.  If the user is in multiple security groups that have policy configurations assigned to them, then the priority of the policy configurations determines which policies take effect.
  • In some cases, policies might not be applied correctly if two users with different policies sign into Office 365 on the same device and during the same Windows session.

FAQ:

  1. Does the Office client policy service replace Group Policy management options?
    No, this service provides an alternative to Group Policy management. Group Policy management enforces policies on Windows PCs joined to an Active Directory domain, while the Office client policy service only requires the user sign into Office using their corporate credentials (Azure Active Directory) along with a valid Office 365 ProPlus license.
  2. What are primary differences between the types of policies I can enforce using Office client policy service compared to Group Policy?
    Office client policy service manages only user-based policies for Office 365 ProPlus. Group Policy can manage both user-based and machine-based policies.
  3. How does the Office client policy service compare with the Office Customization Tool for Click-to-Run’s application preferences settings?
    The settings configured as part of Office installation using the Office Customization Tool for Click-to-Run – as well as previous OCT versions – are based on ‘preferences’, meaning that a user can change them. Office client policy service settings are enforced, like Group Policy enforcement.
  4. If I use Group Policy Management and the Office cloud policy service, how will conflicts be resolved?
    The policies configured in the Office cloud policy service take precedence over any policies configured via Group Policy Management. If there are conflicts, the values specified in the Office cloud policy service for the conflicting policies will be honored.
  1. Can I import policies from Group Policy Management to Office cloud policy service?
    At this time we do not have import capabilities, but we are looking at providing this functionality to help admins migrate.
  2. How is this different from the Administrative Templates feature in Intune for Device configuration
    The Office cloud policy service is built specifically for managing Office policies in non-domain joined and non-MDM managed scenarios.  Office cloud policy service is available to any customer that owns Office 365 ProPlus.  If used with Intune, the policies configured in Office cloud policy service take precedence over any Office policies managed via Intune.

References:

https://docs.microsoft.com/en-us/DeployOffice/overview-office-cloud-policy-service

https://techcommunity.microsoft.com/t5/Office-365-Blog/The-new-cloud-based-policy-management-service-for-Office-365/ba-p/480676

Hope it helps!

Leave a Reply