When will you let us manage by AAD groups?

Copper Contributor

We have a model where 4k our of our 12k users are not formally managed by us.

That means they can access our tenant and freely download M365 apps, but we do not manage their hardware therefore we don't want to control if they are on current or semi..


Will you give us the ability to restrict servicing to targeted groups within our AAD at some point, or will config.office.com always be based on telemetry within a given instance?


This would also in our case include personal devices who have downloaded M365 apps to use for home@work type situations but don't necessarily want this channel.


Is this in the works, or will it always be one tenant one model regardless of attribute?

2 Replies
If they are not connected to the AAD , then you couldn't manage them and it is up to the user, however in case they sign-in to Microsoft 365 with Office Application, then you could manage their office applications. However once they sign out, you will lose control.
First off, only Apps health from the Apps admin center (aka config.office.com) is based on Diagnostic Data coming from M365Apps instances. Inventory, OCPS and Servicing Profiles do not rely on Diagnostic Data- Regarding managing updates, a feature to restrict the scope of the Servicing Profile to an AzureAD group is in the works and should land in the next few weeks.