Office 365 Cloud Policy Service and Security Policy Advisor (Security Baseline Policies)

Did you know about Office Cloud Policy Service and Security Policy Advisors?

The Office cloud policy service: lets you enforce policy settings for Microsoft 365 Apps for enterprise (previously named Office 365 ProPlus) on a user’s device, even if the device isn’t domain joined or otherwise managed. When a user signs into Microsoft 365 Apps for enterprise on a device, the policy settings roam to that device. You can also enforce some policy settings for Office for the web, both for users who are signed in and for users who access documents anonymously.

The Office cloud policy service is part of a portal for managing Microsoft 365 Apps for enterprise. The service includes many of the same user-based policy settings that are available in Group Policy. You can also use the Office cloud policy service directly in the Microsoft Endpoint Manager admin center.

The following are the requirements for using the Office cloud policy service with Microsoft 365 Apps for enterprise:

• At least Version 1808 of Microsoft 365 Apps for enterprise.
• User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Microsoft 365 Apps for enterprise with an AAD-based account.
• Office cloud policy service supports security groups and mail-enabled security groups created in Azure AD. The membership type can be either Dynamic or Assigned.
• To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.

Security Policy Advisor: When you create policy configurations, you can review and apply policies that are recommended by Microsoft as security baseline policies. These recommendations are marked as “Security Baseline” when selecting policies. You can also use Security Policy Advisor to receive and implement security policy recommendations. These recommendations are based on Microsoft best practices and information about your existing environment.

The following are the requirements for using Security Policy Advisor:

• Must be using the Office cloud policy service and meet all the requirements for that service.
• At least version 1908 of Microsoft 365 Apps for enterprise.
• To create the recommendations and insights, Security Policy Advisor relies on required service data from Microsoft 365 Apps for enterprise. For more information, see Required service data for Office.
• The required URLs and IP address ranges properly configured on your network.

To enable security policy recommendations, sign in to the portal for managing Microsoft 365 Apps for enterprise, click Security, and then choose On for the Security Policy Advisor.

How Security Policy Advisor creates recommendations

When a security group has been assigned a policy configuration, Security Policy Advisor analyzes how users in that group work with Microsoft 365 Apps for enterprise. Based on this analysis and on Microsoft best practices, recommendations are created for specific security policies and insights about the impact of those policies on productivity and security.

Recommendations are usually generated within a few minutes of a policy configuration being applied to a group. On rare occasions, it may take longer. In such instances, please revisit Security Policy Advisor to check if new recommendations are available.