Home
Microsoft

Announcing the new cloud-based policy management service for Office 365 ProPlus

Today we are pleased to announce the preview of the Office client policy service to help administrators manage policies for all Office 365 ProPlus users in their organization, from an easy-to-use, Internet-based portal focused on Office 365 ProPlus management.

 

Office 365 ProPlus allows users to access full Office experiences from multiple Windows devices. These may be managed or MDM-enrolled devices, but are often also personally-owned and unmanaged. Now with the Office client policy service, you can define and enforce Office client policy without the infrastructure or MDM services traditionally required.

 

The Office client policy service allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups.  Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus.

 

  • Build a policy configuration that includes the policies you want to enforce, configured as needed for your organization’s needs.  The service is always up to date and includes the latest policies as they are released. 
  • Target a group of users by assigning the policy configuration to a specific AAD security group. 
  • Policies automatically enforced as users sign into Office 365 ProPlus.

    policies.png

     

 

This service is now available as a preview for all organizations with Office 365 ProPlus.  If you are an administrator, you can start using this service by signing into the Office client management portal and creating policy configurations.  As you evaluate this preview, please provide feedback using the feedback button (in the upper right corner) to help us improve the service.

 

For a guided walk-though of this new service, take a look at a this video which also includes a deep dive into the Office Customization Tool.

 

 

 

For additional documentation on how to use this new policy service and its capabilities take a look at this document.

 

FAQ:

Does the Office client policy service replace Group Policy management options?
No, this service complements Group Policy-based management as another option. Group Policy management enforces policies on Windows PCs joined to an Active Directory domain, while the Office client policy service only requires Azure Active Directory sign-in as part of Office 365 ProPlus.

What are primary differences between the types of policies I can enforce using Office client policy service compared to Group Policy?
Office client policy service manages user-based policies for Office 365 ProPlus. Group Policy can manage both user-based and machine-based policies.

How does the Office client policy service compare with the Office Customization Tool for Click-to-Run’s application preferences settings?
The settings configured as part of Office installation using the Office Customization Tool for Click-to-Run – as well as previous OCT versions – are based on ‘preferences’, meaning that a user can change them. Office client policy service settings are enforced, similar to Group Policy enforcement.

 

Is an Intune subscription required?

No.  It is not required that the tenant have an Intune subscription.  This is a feature of Office 365 ProPlus and only requires that the tenant have a subscription that includes Office 365 ProPlus.

 

Does this work with all Office Click-to-Run products?

No.  This is a feature of Office 365 ProPlus and only works with the Office apps that are deployed as a part of the Office 365 ProPlus suite.

 

Does this new policy service support all the policies from the Office ADMX templates?

No.  Currently this preview is limited to a subset of the user based policies defined in the ADMX templates.  All machine based policies are not included.

 

Which admin roles are allowed access to configure policies?

Only the Global Admin, Security Admin or Desktop Analytics Admin (private preview) roles are allowed access to create or view policy configurations.

42 Comments
Super Contributor

So, is it enough to be signed in into Outlook with Exchange Online account or say OneDrive or do you have to be signed in to Excel/Word also? Usually when activating Office 365 for the first time such login happens, but i often found Excel and Word showing there is an error with your account and asking to sign in again. As we didn't need Office app to be signed in, it wasn't an issue. But i wonder if that won't break such policy enforcement. What is the main agent/service responsible for policy pull down from the server?

Super Contributor

I see in documentation, that security group must be in AAD. Does synced on-premise AD groups work also? Is there or planned option for exclusion? Some users might need macros to work, so one might want to exclude some groups, but still apply policy to all users.

Super Contributor

I suppose there is no restrictions based on licenses and this will work with any plan?

Microsoft

Hi Oleg,

 

Being signed into just one of the Office 365 ProPlus apps will trigger the policy sync which will sync all policies assigned for that user.  OneDrive is excluded as it is not part of the Office 365 ProPlus activation process.  Any security group that is available in AAD, including the security groups you have synced can be targeted.  This will work for any user in the targeted security group(s) that have a valid Office 365 ProPlus license assigned to them.  Exclusion capability is something that we are considering.

 

Cheers,

Chris

Hi, so Office 365 Business and Microsoft 365 Business suites and installs do not work with this? Is this preferred option or we should use MDM Intune if it is already in place?

Microsoft

Correct, this is only available for the ProPlus suite.

 

Cheers,

Chris

Can the accounts be a synced user from Azure AD Connect? Or is this only for pure AAD users?

Super Contributor

Nick, Chris above says it can be synced users.

New Contributor

This seems cool, however it seems to be a solution built for config manager?

Will the policy option be extended to click 2 run in Intune?

Super Contributor

If you watched the video, then it might be confusing. In the first part they talk about OCT (Office customization tool), which isn't new and it can be used with ConfigMgr. But this blog post is more about the second part of the video OCPS (Office client policy service), which is a part of the same config.microsoft.com portal (same as OCT), but it is designed to set policies for Office installations without MDM (Intune) or ConfigMgr in play.

Contributor

Great.

I was exactly thinking it was someting missing.

I tried it and don't found the option to configure the "Coming soon" feature https://support.office.com/en-us/article/turn-off-coming-soon-for-your-organization-0ac68b98-47e8-47...

 

Additionnaly should be great to do some filtering on aaplicaytion and/or catégory and/or status

New Contributor

@Oleg K

Thanks for the reply.

For methen who works in a modern management world. This doesn't give me much, since C2R is always deployed via Intune. And if option to configure policies for that package. Im all out of luck

Regular Visitor

What admin role is required to access the tool ?

Please don't tell me it is Global Admin

Super Contributor

niklas, i can't test this myself as i don't currently work with Office 365, but from what i understand it doesn't matter how you deploy Office. All that is needed for this policies to work (and i mean only the OCPS part) is for a user to sign in into any Office 365 app with their Office 365 credentials (say into Outlook, or Word, Excel). If you are referring to OCT part, then i can't tell how it works with Intune exactly.

New Contributor

@Oleg K
My bad, i totally missed it. My bad!

it seems like this is cleary integrated within Intune.  Just have to find a tenant where is preview is enabled.

@niklas jern. It's not intergrated with Intune, has nothing to do with Intune, as it mentioned it doesn't require Intune license, this feature is from Office 365, and it doesn't care how to you deploy/install Office 365 ProPlus. 

@Grzegorz Wierzbicki

In order to sign-in to Office client administration site, you must be a Global Admin, Security Admin or Desktop Analytics Admin (private preview). These roles are delegated via your company's Global Admin.

Hi @Yinghua Zeng, currently you can target policies to Security Groups. Do you plan also support targeting different states of device? Like Azure AD Joined and Azure AD Registered. Why I am asking. We have customer who want two policies. Limit Personal OneDrive on company owned devices and allow Personal OneDrive on BYOD. And currently does not use Intune, so this will meet his needs.

What platforms does the new Client Policy Service support? Does it just enforce policy settings against Windows devices or does it also support Mac, iOS/Android, etc?

hello @Petr Vlk  , are you asking me about planning for some features? :D I am MVP just like you, I don't know the plans. Seems there is only one One Drive policy in config.office.com, hope they put more OneOne Policy later.

1. Allow Personal OneDrive on BYOD, I think that is by default allowed already. 

2. Limit Personal OneDrive on company owned devices, maybe can use these two setting?  Just need find the way deploy two registry. 
https://docs.microsoft.com/en-us/onedrive/use-group-policy#DisablePersonalSync (User Policy)

https://docs.microsoft.com/en-us/onedrive/use-group-policy#AllowTenantList (Machine Policy)

 

Regards, Sandy

 

@Yinghua Zeng: Sorry 😉 Your answers were so just a great. Yes, but how to deploy such with this tool when we only target security groups. Devices are only AAD connected, no local GPO available and Intune is not in their license suite for now.

Microsoft

@Stuart Chapman this new policy service only works with Office 365 ProPlus on Win32 devices.

Does the policy wipe when I log in as a different users, for example I change employeer but have an Office ProPlus license with this employer as well, but they set or don't set different policies? 

And is it login based on license activation or login for SharePoint /OneDrive storage access? 

And final question from me tonight, can I push different policies if the device is unmanaged? 

Super Contributor

They said that this service is unrelated to Intune/MDM, so it should work on unmanaged devices. It is designed for such scenario.

So, it does not require Intune. But what if Intune is already in place and someone configures also this. Intune take precedence or just conflict happen and who came the last win? Tested someone?

Established Member

Great feature, but the limitation to only Windows devices will hinder our adoption. I would like to see non Windows devices supporting this feature as well. And integration in Intune to allow this to be integrated with Conditional Access Policies.

New Contributor

@Yinghua Zeng My bad, was so into what I was doing at work  so wrote the wrong product. Doesn't mean Intune, I meant for it to be available in the Azure portal.

From 6:15 ish in the video it looks like he is working on this product within the Azure portal. On a service called 'Customize Office'

That is what I'm looking for, as someone else said, to get this all gathered in one portal is much more wanted then have yet a separate GUI to administrate this within

The video shows the presenter going into the M365 Device Configuration Portal and not the Azure portal. The aim is that M365 subscribers get a single portal for M365 configuration stuff. The portal is in preview at the moment (https://admin.microsoft.com) and click preview option top right, but even the current preview does not look like the one shown in the video. Maybe that's a future version. 

New Contributor

 

@Brian Reid

Well now are we really splitting hair here. Since the Device configuration portal is just a slimmed down version of what you get from the Intune and Azure AD service in the Azure portal.

i.e. all service here are also available in the Azure portal. So when this service new service is available I think it is safe to assume that you will find it in both portals 

The M365 is a new portal entirely. It's not an additional bit to an existing portal and it's only available to M365 subscribers and not O365 subscribers 

Super Contributor

admin.microsoft.com is available for Office 365 only for a long time and after watching numerous Ignite sessions i remember they telling that Office 365 admins will get the same new portal. Of course, they will see less options/services.

Microsoft

@Petr Vlk - Good question about the precedence for applied policies.  The policies applied to the client when using this new service get stored on the client in HKCU\SOFTWARE\Policies\Microsoft\Cloud\Office\16.0.  Any policies that exist in this location take precedence over policies stored in the Group Policy hive, i.e. HKCU\SOFTWARE\Policies\Microsoft\Office\16.0.  This is true no matter the tool or technology that is used to write the policies to the device.

Microsoft

@Brian Reid - This new policy service only writes user policies to HKCU based on the user that is signed into Office 365 ProPlus.  It is based on the user having a valid Office 365 ProPlus license assigned to them and activated.  If you are switching users be aware that just as with Group Policy, if Office apps are running they do not get new policies enforced until the apps are restarted.

@Chris Hopkins thanks - and the specific of the questions about a non-domain joined device changing tenant or multiple tenants. To clarify lets say admin applies "setting 1" to true for tenant one, and I login as a user under the scope of that setting and so get "setting 1" to true. But I am also connected to SharePoint/OneDrive in tenant two, and tenant two sets "setting 1" to false. Which one wins? Is the policy service based on the activation user sign in or the storage sign in (becuase they can be different).

 

And then if I take a BYOD device and move from tenant one to tenant two, and tenant two does not set "setting 1", does it get nulled out or does it remain in place from the previous company I worked for.


Ta

 

Brian

Microsoft

@Brian Reid the logic is part of the Click-to-run client and only applies to the user that is signed into Office.  The OneDrive client does not share the same authentication with the Office apps.

Hi @Chris Hopkins - I know the OneDrive client does not share the same authentication as Office - that was not the question. Inside Office Backstage I can sign into Office for storage access (OneDrive or SharePoint). I can also sign into Office for Activation. These can all be different accounts and I can be signed in for multiple storage accounts in the same Office product. The question is which of these accounts causes the policy to be downloaded, and if it is the storage account login that triggers it, then what happens if you have more than one added and each of these organizations push different or conflicting policies (the scenario here is guest users/B2B, where the user works for one org with a policy but has access to open SharePoint or OneDrive over a second licence or a B2B, or a scenario where a user works for many different organizations such as a consultant (my scenario) or a part time worker who works for two or three different companies in a given month)

Microsoft

@Brian Reid - it is only the account that you sign into Office with for activation.

Senior Member

@Chris Hopkins Thanks for the work on making this happen. You say "The service is always up to date and includes the latest policies as they are released. " Is there any alerting given to an administrator to advise that new policy items are available for configuration?

Microsoft

@Michael Sampson we are currently working on the 'what's new' design and other filtering/browsing capabilities but currently in the preview this functionality does not exist.  Please feel free to send me feedback as we work to improve this new service.

Senior Member

Thanks for the confirmation @Chris Hopkins. Getting that design flow right will be important; all the best with what you are still working on.