Microsoft has introduced a new Security Policy Advisor service to make it easier for enterprise IT managers to create and manage security policies for users of Office 365.
The advisor service, which was announced by Jared Spataro, a Microsoft 365 corporate vice president, in a recent post on the Microsoft 365 Blog, aims to provide streamlined management tools that will simplify the steps needed to set security policies inside companies for employees, apps, devices and data.
"Securing your users has never been more important, or more difficult," wrote Spataro. "For many, it’s become a scramble to simply stay ahead of the latest threats. And all too often the complexity and variety of the security solutions themselves only adds to your burden."
Security Policy Advisor, which is now in public preview, is the first in what will be a series of security tools to help bolster the apps in Microsoft's Office 365 ProPlus subscription office suite offerings, wrote Spataro. "Security Policy Advisor is a service that offers an easier, more effective way to manage your security policies. It provides custom policy recommendations, supported with rich data insights into how these policies would impact your group's use of features in Office—allowing you to make decisions with full information."
Built to use information that's already available within a company, Security Policy Advisor analyzes how individuals use Office and then recommends specific policies to boost a company's security profile, wrote Spataro.
"Even better, for each recommendation, you can see how people would be impacted, giving you greater confidence in choosing policies that are right for your environment," he wrote. "It may recommend, for example, disabling VBA macros in Word or macros in Excel files from the web—providing relevant threat intelligence (if available) and identifying just how frequently individuals in your group use those features and would be impacted by the policy."
The security policies can be applied with one click at the app, feature or group level and can be easily changed as employees, groups and other workplace organizations change, wrote Spataro.
"Security Policy Advisor actively monitors policy impact on your employees, highlighting areas worth your attention or suggesting changes if needed," he wrote. "If you’ve enabled individuals to override specific policies, you’ll see how this is used. With cloud-based management, you can update or even roll back at the push of a button."
Enterprises that are using Group Policy Objects (GPOs) within a Microsoft Management Console Group Policy Editor can continue to use them with the new Security Policy Advisor because they can run in parallel with any changes made with the Office cloud policy service, wrote Spataro. "Existing policies are retained and, if there are any conflicts, policies you apply via Office cloud policy service will always take precedence."
Taking the Guesswork Out of Configuring Security Policies
A key benefit of the Security Policy Advisor service is that it can help take the guesswork out of configuring security policies for users within organizations.
"In the past, the burden fell to you alone to determine if a particular policy would help or hurt a specific group," wrote Spataro. "Setting macro policies, for example, involved numerous group policy objects (GPOs), each with multiple settings, detailed yet always too generic security baseline studies and cumbersome deployment. And in the end, you still had to wait for frustrated support calls to know the user impact."
The Security Policy Advisor will roll out fully in the coming weeks, according to Microsoft.
In a related announcement, Microsoft also unveiled the availability of its new Office cloud policy service, which is a cloud-based tool that allows enterprises to define policies for Office 365 ProPlus and assign them to users via Azure Active Directory groups. Those policies, once they are configured, are automatically enforced as individuals sign in.
The Office cloud policy service allows companies to extend their reach to managed and unmanaged devices without requiring any on-premises infrastructure or modern device management services.