Announcing Security Policy Advisor Preview for Office 365 ProPlus

Published 04-23-2019 04:28 PM 33.7K Views

Today we are pleased to announce the preview of Security Policy Advisor, a new service that can help enterprises improve the security of Office 365 ProPlus clients in their organization.


Office provides a rich set of security policies that allow administrators to customize the security of their Office applications to help meet their enterprise’s security needs.  Administrators have traditionally relied on published guidance like security baselines or their own analysis to come up with a set of security policies they need to enforce. In such instances, the burden falls to the administrator to determine if a security policy is right for their enterprise and will not adversely affect user productivity. 


Security Policy Advisor enables IT admins who have deployed Office 365 ProPlus, to manage the security of their Office applications with confidence by providing the following capabilities:


  • Tailored recommendations for specific security policies that can provide a high value in helping to raise the overall security posture of an enterprise and helping to protect against contemporary attacks.
  • Rich data insights on security and productivity impact of applying a policy recommendation that can help admins weigh the benefit vs. risk of applying a policy and make a data-informed decision.
  • One-click deployment of policies to end users through the recently released Office cloud policy service that enables admins to enforce Office policies straight from the cloud to any Office 365 ProPlus client without requiring on-premises infrastructure or MDM services.
  • Monitoring and reporting on policy impact that allows an admin to have visibility into how a security policy recommendation is affecting users without having to wait to hear from them.





This service is now available as a preview in English (en-us) and will be available in additional locales in the coming weeks. If you are an administrator of an organization that has deployed Office 365 ProPlus, you can start using this service by signing into the Office client management portal, turning on Security Policy Advisor and creating Office cloud policy configurations.  For each policy configuration you create and assign to a group of users, Security Policy Advisor will generate recommendations with supporting data that you can review and deploy to users as a policy. Once you have applied a policy, you can continue to monitor its ongoing impact on users through the management portal.


For additional documentation on how to use this new policy service and its capabilities please refer to this document: Overview of the Security Policy Advisor (Preview) for Office 365 ProPlus.


As you evaluate this preview, please provide feedback using the feedback button (in the upper right corner) to help us improve Security Policy Advisor. We look forward to hearing from you!





Note:  Please refer to our documentation for the most up to date information.


What are the pre-requisites to start using Security Policy Advisor?

To start using Security Policy Advisor, your enterprise must have the following pre-requisites

  1. Must be using the Office cloud policy service and meet all the requirements for that service
  2. Office 365 ProPlus apps on the latest Monthly (1904) channel release deployed and being used by users in your organization.
  3. To create the recommendations and insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus. For more information, see Necessary service data for Office.
  4. Office 365 ProPlus clients can communicate back to Microsoft. Specifically, the following Office 365 URLs and IP Addresses for all Office 365 services and clients published here: Office 365 URLs and IP address ranges.

Note: If you are creating a brand new enterprise subscription in Office 365, please wait atleast 24 hours for the service to detect your subscription before trying to use Security Policy Advisor.


How does this relate to a security baseline?

Security baselines are a great starting point for enterprises to configure their applications for security. Office has a published baseline for Office 2016 and Office 365 ProPlus applications.


A security baseline is generic best practice guidance that ultimately needs to be consumed and customized for your enterprise to balance your security and productivity goals. You can use Office cloud policy service to apply the user level policies recommended in the Office security baseline.  Security Policy Advisor complements a security baseline by providing custom recommendations for specific policies that are tailored to your enterprise, helping you to choose the most secure policy that has the least impact on productivity for your organization.


How are the recommendations, productivity and security impact insights generated?

Security Policy Advisor uses the following data to generate recommendations and associated data insights on productivity and security impact:

  1. To create the recommendations and productivity insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus . For more information, see Necessary service data for Office.
  2. If your organization has Office 365 Advanced Threat Protection Plan 2, then Security Policy Advisor can use data from this service to provide insights on recommended policies. These insights will be based on threats that have been detected and stopped by Advanced Threat Protection. For more details on Office 365 Advanced Threat Protection, see Office 365 threat investigation and response.

 For more details, please refer to our documentation.


What happens when I turn off Security Policy Advisor?

When you turn off Security Policy Advisor, usage and threat data from your organization are no longer analyzed and no recommendations or insights will be generated. 


Admins can control the data collected from their clients using the new privacy controls supported by Office apps. More details are available here: Overview of privacy controls for Office 365 ProPlus.


What happens if I do not have Office 365 Threat Investigation and Response (via ATP Plan 2)?

If your organization has Office Threat Investigation and Response (via ATP Plan 2), Security Policy Advisor can use data from this service to provide you with information on threats detected and stopped by ATP that the recommended policy can help protect against. This can be great to quantify the actual risk to your organization when you consider applying a recommendation.


If your organization does not have ATP Plan 2, no problem, Security Policy Advisor will still show you information on the productivity impact that is helpful in assessing and monitoring impact to end users when applying recommendations. 


Which admin roles are allowed to view recommendations and configure policies?

Only the Global Admin, Security Admin or Desktop Analytics Admin (private preview) roles are allowed access to create or view policy configurations.


I'm trying to turn this on, but seeing the error:


"Couldn't retrieve data for 'SecurityAdvisorContainerv2'. Use '7b3a03e0-e191-409e-adb8-52e8b04ef02d' to report this issue to Microsoft."


Hi Adam, Thanks for checking this out and sorry you ran into an issue!


Our team is tracking this now and I will post an update once we identify the cause. 


Thanks again!


No problem at all, happy to test again and report back.

Senior Member

Hi all,


just getting the same error as Adam in my tenant (Office 365, Country of usage: Germany). Happy to try again.



Hello @Adam Fowler  and @RolandEhle ,


We looked into this issue and have the cause. Security Policy Advisor and Office cloud policy service (on top of which this service is built) are currently not available in Australia and Germany.


This is documented here:


The Office cloud policy service isn't available to the following:

·         Customers with Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD plans.

·         Tenants located in Australia, Brazil, Germany, India, or South Korea.

We are formulating plans to expand into these environments and will provide an update when these services are available. 


Thanks again for looking at this feature and offering to provide feedback!



Is this only available for strictly Office 365 Pro Plus? We use E3 on my tenant it seems not available, nor on one with Business Premium licenses. I see it available on a tenant with a Office 365 Pro Plus license.


Or maybe it’s just a fluke that only one tenant is enabled already.




Hello @Alan McFarlane 


 Security Policy Advisor is available for ProPlus and this should include E3 (where ProPlus comes packaged with ProPlus). Does the E3 tenant you refer to have Office 365 ProPlus deployed to users?


Thanks for evaluating Security Policy Advisor and bringing this up. 







Thanks for the quick turnaround @Sriram Iyer - it would be good to have this option disabled, or at least a comment/link there about what tenant locations are supported. I don't think we'd normally see an option to turn something on in a location that's not live yet?


Thank you for the feedback @Adam Fowler. We are working to have this information surfaced in the UX for users from regions where support is not yet available. Also working on getting the service enabled in these regions. I will post an update once that is done. 


Thanks again!


Thanks Sriram. My own tenant with E3 is still missing the new security page completely.



The tenant with Business Premium shows a similar error to what Adam is seeing ("Couldn't retrieve data for 'SecurityAdvisorContainer'. Use ...").  The tenant with one Office 365 Pro license is working, yay (but only showing one user in the counts -- where there are other Premium license).


(I'm in the UK btw.)




Thanks @Alan McFarlane. I will need some additional details for our team to investigate what is going on. I will reach out to you directly.

Not applicable


I always wonder when you say  "Office 365 ProPlus" do you refer to Business Premium licenses also?

Also, will Security Policy feature support changing client update channel and option to offer/force update of client Office desktop application.

I ask this because we have many clients dispersed and not managed by group policy and we would like to have control over update channel and version that clients have installed.


Thanks in advance!


Hi @Deleted 


Thanks for checking this out! 


Security Policy Advisor and Office cloud policy service currently only support Office 365 ProPlus which are available as part of M365 Enterprise offering. This does not include Business Premium. 

There are no policies that support enforcing update channel for clients. This is supported through the Office Customization Tool that is available within to build a Client configuration on the desired channel and deployed using  Office Deployment Tool.





With Sriram's help we've worked out that browser locale settings matter -- for now, as localisation isn't complete yet. The page loads successfully for me when I change the browser local from English-UK to English(/-US).  (I used Chrome since Edge only follows the OS's locale setting.)


@Alan McFarlane, the locale filters are now lifted and Security Policy Advisor should be available in all locales. Please let us know if you are unable to see functionality in the portal with your current locale (English-UK).




Senior Member


I see that the same policies are available under the Deployment Configuration option when creating the XML. Is the purpose of having this under a separate tab to apply it to users with office deployment thru Intune since they are not using the XML file? Thank you


Respected Contributor

I am having the same problem as reported above, i'm in the US and have a tenant

Couldn't retrieve data for 'OfficeSettingsContainer'. Use '7e7248dc-a6e1-4f5b-9229-cdbe9b8c1eb9' to report this issue to Microsoft.

Hello @Ray Kaddiss 


The settings shown under Deployment configuration are essentially preferences and not policies i.e. they are set during deployment and can be changed by your users. The settings shown under Policy Management and Security are policies which you enforce on clients and cannot be changed by users.


@Dean Gross, sorry for the delay, we are looking into this. Can you tell me the country you are accessing this functionality from?

Respected Contributor

@Sriram Iyer I am in the United States. I have tried this in several different tenants and it does not work at all. I am disappointed that I have wasted several hours trying to use something that was obviously not fully tested nor ready for public release


Hi @Dean Gross Sorry to hear about your experience and thanks for trying to evaluate this from multiple tenants. I will reach out to you directly to get more details that can help us narrow down the issue here.

Regular Contributor

The link in "1. Must be using the Office cloud policy service and meet all the requirements for that service" takes me to a page saying "We are sorry, the page is forbidden". It worked when I changed the domain to "" though.


@Ryan Steele Thanks for catching that. I have updated the link.


@RolandEhle , @Adam Fowler , the service has now been updated to work for tenants in Australia and Germany. If you can help preview and provide feedback. Would appreciate that a lot!




Looks good now, seems to be working. Thanks @Sriram Iyer 

Version history
Last update:
‎Jun 19 2019 06:59 AM
Updated by: