Microsoft Releases Office Cloud Policy Service and Security Policy Advisor Preview for Office 365 ProPlus
Organizations using Office 365 ProPlus productivity suite applications are getting an alternative to Group Policy for managing user-based policies.
This week, Microsoft announced the release of an Office Cloud Policy service accessible by IT pros via a portal page, as well as a related management element at the preview stage called "Security Policy Advisor." The Office Cloud Policy portal lets IT pros set Office 365 ProPlus policies for user devices, even if those devices aren't domain-joined or otherwise managed. The Security Policy Advisor preview recommends best practices for Office 365 ProPlus policies, along with advice on the benefits and risks of applying a policy, plus monitoring and reporting on the actual effects of policies on end users.
Microsoft apparently previewed the Office Cloud Policy service back in January, although back then it was called the "Office Client Policy service," which seems like a better descriptor for what it does. The Security Policy Advisor preview, on the other hand, seems completely new.
Security Policy Advisor Preview
Security Policy Advisor, which appears in the Office 365 ProPlus management portal, is designed to be a better guide for IT pros managing Office 365 ProPlus than having to figure out which policies to apply from Microsoft's security baseline recommendations. It aims to reduce guesswork for IT pros, according to the announcement by Jared Spataro, corporate vice president for Microsoft 365:
In the past, the burden fell to you [IT pros] alone to determine if a particular policy would help or hurt a specific group. Setting macro policies, for example, involved numerous group policy objects (GPOs), each with multiple settings, detailed yet always too generic security baseline studies, and cumbersome deployment.
The Security Policy Advisor service will monitor if policies set for Office 365 ProPlus users are still appropriate, and will offer suggested changes. The policies set via Security Policy Advisor will work with existing Group Policy Objects. However, if there's a conflict, then the "policies you apply via Office cloud policy service will always take precedence," Spataro explained.
IT pros can set up Security Policy Advisor to permit end users to override policies. Alternatively, end users can be restricted from making such changes, according to this document.
Security Policy Advisor requires using the Office Cloud Policy service, and it requires having Office 365 ProPlus version 1904 or later. According to this Microsoft privacy document, Office 365 ProPlus version 1904 "is expected to be available in Semi-Annual Channel (Targeted) in September and in Semi-Annual Channel in January 2020."
Organizations also have to accept that service data will get sent back to Microsoft, which the Security Policy Advisor service uses for its analyses.
Office Cloud Policy Service
The Office Cloud Policy service uses the Office 365 ProPlus Click-to-Run service to check user settings. It only supports user-based policies. It won't work with other Office versions, such as "Office 365 Business, Office Professional Plus 2019, or Office Standard 2016," according to this Microsoft document.
IT pros may still need to use Group Policy to set device policies. Microsoft currently doesn't support importing Group Policy settings into the Office Cloud Policy service, but it's "looking at providing this functionality" to help IT pros move to using the new service.
Microsoft doesn't conceive of the Office Cloud Policy service as being a Group Policy replacement, according to the announcement:
This service [Office Cloud Policy] provides an alternative to Group Policy management. Group Policy management enforces policies on Windows PCs joined to an Active Directory domain, while the Office client policy service only requires the user sign into Office using their corporate credentials (Azure Active Directory) along with a valid Office 365 ProPlus license.
The Office Cloud Policy service requires using the Azure Active Directory cloud-based identity and access management service with Office 365 ProPlus clients, or it requires synchronization with that service. It also requires having Office 365 ProPlus version 1808 installed or later versions.
IT pros can still use the Office Customization Tool to set policies for Office 365 ProPlus users. However, end users can override those settings, unlike policies set with the Office Cloud Policy service.
Microsoft designed the Office Cloud Policy service to support "non-domain-joined and non-MDM [mobile device management] scenarios." If an organization uses a MDM solution such as Microsoft Intune with this service, then the policies set via the Office Cloud Policy service will take precedence.
Microsoft described the requirements for the Office Cloud Policy service in its document. The service isn't available in "Australia, Brazil, Germany, India or South Korea." It's also not available in China (21Vianet) or as part of government Office 365 tenancies.
Microsoft 365 Shared Computer Activation
In other Office 365 news this week, Microsoft announced the ability for Microsoft 365 licensees to use Office 365 productivity applications on shared computers.
It's a perk for organizations subscribed to Microsoft 365 licensing. It doesn't apply to Office 365 Business subscribers, as they are still limited to Office installs on "a limited number of devices, such as 5 PCs," Microsoft's announcement explained.
Shared computer activation of Office for Microsoft 365 subscribers is conceived as being beneficial for shift workers that share a computer and field workers, as well as remote workers connecting to Office 365 hosted on Windows Server.
Microsoft is planning to make this shared computer activation perk available to Microsoft 365 Business subscribers as early as April 30. The rollout to subscribers will get completed "in the next couple of months."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.