News Blog /

How to secure your remote workers with Office Cloud Policy Service

by Spanish Point - Apr 20, 2020
How to secure your remote workers with Office Cloud Policy Service

With more and more users working from home, organisations are facing new security and privacy challenges. One of them might be, that users are working on unmanaged, personal devices accessing corporate data. Classic technologies like Active Directory Group Policy Management do not help in such scenarios, as these do not apply to unmanaged devices.

This blog post will provide guidance on how to leverage the Office cloud policy service (OCPS) to address those scenarios.

Step 1 – Enable OCPS

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Microsoft 365 Apps for enterprise (formally known as Office 365 ProPlus) on a user’s device. The policy settings roam to whichever device the user signs into and uses Microsoft 365 Apps for enterprise. This applies whether the device is managed through on-premises domain devices, as a Azure AD registered, Azure AD Joined, or Hybrid Azure AD joined device.

You should start by verifying the requirements:

  • Supported version of Microsoft 365 Apps for enterprise deployed
  • Licensed for Microsoft 365 Apps for enterprise
  • At least one Azure AD group which contains the users you’re targeting.
  • An admin user with at least the Office Apps Admin role assigned
  • Clients must be able to reach these URLs: *, *, over 443

Step 2 – Create a policy configuration and assign to users

Now you should create your first policy configuration and assign it to a group of users:

  • Expand the Customisation node and select Policy Management.
  • On the Policy configurations page, choose Create and provide a name and a description.
  • In Assignments, choose whether this policy applies to users of locally installed Microsoft 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web.
  • Select the AAD-based security group that is assigned to the policy configuration. Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.
Secure Remote Devices W Ocps 3

Step 3 – Set policies

After clicking on Configure policies you can start to search for and configure policies. Please note that most policies are only applicable to Office on Windows, but some are applicable cross-platform as noted in the platform column in the policy list.

As a starting point, you can filter the Recommendation column to view the recommended Microsoft Security baseline policies. Click on each policy name to view the description and decide if you want to keep the baseline’s recommended value or manually configure it. The reviewed items will switch the Status to Configured when applied.

Secure Remote Devices W Ocps 4

Step 4 – Additional considerations

As policies configured through OCPS are following the user across all devices, it is not limited to remote workers or users on un-managed devices. You should consider folding your on-prem policies into OCPS policies and go forward with a single solution for both on-prem as well as off-prem users. Once you have deployed OCPS policies, you can also enable the Security Policy Advisor to get further insights into high impactful these changes are for your users. Maybe there are opportunities to further tightening it up without impacting users.


Spanish Point provides managed services and support for Office 365. We successfully support customers with out-of-box Office 365 implementations and large customised enterprise Office 365 environments. 

For More Information