Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 Apps Cloud Policy

The Microsoft 365 Apps Cloud Policy service applies Office app policies to users regardless of device, replacing per-device Group Policy.

The Microsoft 365 Apps admin center Cloud Policy service (sometimes called the Office Cloud Policy Service) is the modern way to configure policies for the installable Microsoft 365 Apps — Word, Excel, PowerPoint, Outlook, OneNote, and others. Unlike Group Policy, Cloud Policy applies to users regardless of device, including BYOD, Mac, and devices not joined to your domain.

What Cloud Policy can configure

Cloud Policy supports the same setting catalogue as the Office Group Policy ADMX templates — thousands of settings covering app behaviour, security, defaults, and customisation. Examples:

  • Default save location (OneDrive vs local).
  • Allowed file types for opening / saving.
  • Macro behaviour — block, prompt, allow.
  • Outlook profile defaults — cached mode, exchange settings.
  • Sensitivity label behaviour in Office apps.
  • Update channel for Microsoft 365 Apps.
  • Telemetry levels sent to Microsoft.
  • Add-in restrictions.

Each policy is configured once in the Cloud Policy admin centre, scoped to users or groups in Entra ID, and applied on next sign-in to Office.

How it differs from Group Policy

| Aspect | Group Policy | Cloud Policy | | --- | --- | --- | | Scope | Devices joined to AD | Users regardless of device | | Identity | Active Directory | Microsoft Entra ID | | Targeting | Computer / OU / GPO | User group | | Coverage | Windows only | Windows, Mac, Web, Mobile | | Update model | GP refresh cycle | Cloud delivery on Office launch |

For Microsoft 365-centric organisations, Cloud Policy is the natural choice because:

  • BYOD and Mac get the same policies as managed Windows.
  • Policies follow the user, not the device.
  • No GP infrastructure required.
  • Web and mobile Office apps participate where applicable.

For mixed environments where Group Policy is already deployed, the two can coexist — Group Policy settings take precedence where both apply, so existing GP configuration continues to work while Cloud Policy fills gaps for unmanaged devices.

Configuration

Configure at the Microsoft 365 Apps admin center (config.office.com):

  1. Create a new configuration.
  2. Scope to a security group or "all users" in Entra ID.
  3. Set platform (Windows, Mac, Web, mobile) for relevant settings.
  4. Pick settings from the catalog with search and filters.
  5. Save and assign — policy distributes via cloud delivery; takes effect on next Office launch.

Each setting has an "Office Group Policy equivalent" identifier so you can verify mappings between systems.

Use cases that work well

  • Pinning Outlook to use a specific authentication mode.
  • Enforcing a default sensitivity label for new documents.
  • Blocking specific add-ins at the tenant level.
  • Forcing Office to use modern authentication only.
  • Setting Office update channel per user group (Targeted Release group on Current Channel, everyone else on Monthly Enterprise).
  • Configuring co-authoring defaults for shared documents.

Use cases that need Group Policy or Intune instead

  • Operating-system-level settings (not Office) — still GP / Intune territory.
  • Apps outside Microsoft 365 — third-party apps need their own management.
  • Settings not in the Office ADMX catalogue — out of scope for Cloud Policy.

Auditing

Every Cloud Policy change is logged in the admin centre with who, when, and what changed. For organisations with strict change control, this audit trail is essential.

For Microsoft 365 customers operating BYOD or mixed-platform environments, Cloud Policy is the cleanest way to apply Office-specific configuration consistently. Combine it with Intune for OS-level management to cover the full picture.