Intune is the mobile application management solution to configure and manage policies related to the software deployed within your organization. These policies are assigned to your users and devices and control how applications behave.
Just as you saw with Group Policy, Intune also provides policies specifically for controlling how Microsoft Office apps behave. Mobile app management policies within Intune allow cloud-based management of your Office apps that can be applied to groups of end users. In addition to configuring app features available to users, you can control how apps access Microsoft 365 services, control data sharing, and enforce security requirements.
Some examples of Office app policies are shown in Table 4-2.
TABLE 4-2 Examples Office app policies
| Office app | App policy |
| Microsoft PowerPoint | Turn off Protected View for attachments opened from Outlook |
| Microsoft Visio | Block macros from running in Office files from the Internet |
| Microsoft Word | Turn off Protected View for attachments opened from Outlook |
| Microsoft Publisher | Publisher Automation Security Level |
| Microsoft Project | Allow Trusted Locations on the network |
Organizations can use the Microsoft 365 Apps admin center to configure the Cloud Policy service for Microsoft 365 (known as Cloud Policy). If you have an Intune subscription, you can use Cloud Policy directly in the Microsoft Intune admin center under Apps\Policy\Policies for Office apps. Both services include many of the same user-based policy settings available in Group Policy. Once defined, Cloud Policies are automatically enforced as users sign in and use Office.
Before you can use the Cloud Policy with Microsoft 365 Apps for enterprise, you need to meet the following requirements:
- A supported version of Microsoft 365 Apps for enterprise.
- User accounts created in or synchronized to Azure Active Directory (Azure AD). Users must be signed into Microsoft 365 Apps for enterprise with an Azure AD-based account.
- Cloud Policy supports Microsoft 365 Groups and Azure AD Security Groups created in or synchronized to Azure AD. The group membership type can be either Dynamic or Assigned.
- The required URLs and IP address ranges listed here must be properly configured on your network: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online.
- Do not use authenticated proxies.
- Only users who are members of one of the following roles in Azure AD can create a policy configuration:
- Global Administrator
- Security Administrator
- Office Apps Admin
Note Click-To-Run Volume Licensed Versions of Office
You cannot apply policy configuration to volume-licensed versions of Office that use Click-to-Run, such as Office LTSC Professional Plus 2021 or Office Standard 2019.