Microsoft has made the new Office Client Policy Service available as preview, and this is looking promising.
The solution is a cloud-based service that can enforce policy settings for Office 365 ProPlus on the office client. This is possible even if the device isn’t domain joined or otherwise managed.
The policy settings will be applied to whichever device the user signs into and uses Office 365 ProPlus. The solution includes many of the same user-based policy settings that are available when using Group Policy (GPO).
We need to be aware of the following:
- Office 365 Proplus must be at least Version 1808.
- User accounts must be created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with this AAD-based account.
- A Security group must be created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to the group.
- To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Desktop Analytics Administrator.
- Only user-based policy settings are available. Computer-based policy settings aren’t available.
- Not all user-based policy settings are available. Only user-based policy settings that configure a single value are available currently. Work is being done to make more user-based policy settings available.
- As new user-based policy settings are made available for Office, the Office client policy service will automatically add them. There is no need to download updated Administrative Templates files (ADMX/ADML).
- Policy settings from the Office client policy service are stored in the registry under HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0.
- Policy settings from Office client policy service take precedence over policy settings implemented by using GPO, and they are taking precedence over preference settings or locally applied policy settings.
When all this in place let give it a quick test-drive:
Lets start by creating a Group in over local AD and let it sync with Azure AD connect.
And then add our test user to the group:
Let’s start an Azure AD connect sync (PowerShell) to speedup the process:
Start-ADSyncSyncCycle -PolicyType Delta
And when we can see the group in Azure Active Directory we are ready to continue:
Start my going to:
Sign-in with your account, remember that it should be Global Administrator, Security Administrator, or Desktop Analytics Administrator:
Accept the license terms:
And then create a new policy configuration:
Name the policy and the slick on Select Group:
Find the group created for this purpose, select it and then click on Configure Policies:
Let’s select a policy we can easily se in the UI when it’s applied, here we will select Block the Office Store:
After clicking the policy we will set Configured to True, and then close the popup:
And finally create the policy by selecting Create:
And our policy is now created:
Before the policy is applied, let’s take a look at UI in Word, let choose the Insert tab and click Get Add-ins:
Here we can see Add-ins available from the Store:
After the policy has been applied, no add-ins from the Store are available:
You will be able to see in registry when the policy has been applied under HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0
If the user is a member of multiple AAD groups with conflicting policy settings, priority is used to determine which policy setting is applied. The highest priority is applied, with “0” being the highest priority that you can assign.
At the date of writing we have 1625 policies available:
Office 365 ProPlus will check with the Office client policy service on a regular basis to see if there are any policy configurations for the user. If there are, then the appropriate policy settings are applied and take effect the next time the user opens an Office app.
When a user signs into Office for the first time, a policy check is made. If the user isn’t a member of an AAD group that is assigned a policy, then another check is made again in 24 hours.
If the user is a member of an AAD group that is assigned a policy, then the policies are applied and a check is made again in 90 minutes.
Now test it out in your own environment.