Policies for Office-apps is not new, but it is new in Microsoft Endpoint Manager admin center (MEM) – I have been asked some question from customers, not having access to the new blade inside MEM portal. This is do to many customers is starting to delegate admin and not use Global Admin for every admin that uses Microsoft services in Azure.
It is best practices only to have the access that the admin needs to perform the job, the best way to do that is not being a Global Admin in Azure. Intune administrator is a good role to have when you are managing devices in  in Microsoft Endpoint Manager.


When trying to access Policies for Office-apps and you do not have access you will receive this message, that is not the same as it is not working, but only that you do not have the necessary rights.

Policies for Office-apps in Intune - 01

If you go to https://config.office.com you will receive the same message just with a recommendation on what to do about it.

Go to Azure Active Directory Admin center with a user that have the rights to assign the right role – find the user that needs the extra roles.

  1. Click Add assignments

Policies for Office-apps in Intune - 03

  1. Search for Office
  2. Select Office apps administrator

Policies for Office-apps in Intune - 04

Intune administrator is not always enough, that depends on what action you need to take, with policies for Office-apps I will recommend using on of two roles:

Read more about the roles permissions here:
Office Apps Administrator permissions

Desktop Analytics Administrator permissions

You can also use but that role gives you even more right that you may or may not need:

Security Administrator


Now the user has rights to Policies for Office-apps

Policies for Office-apps in Intune - 05

So what if what is the different between using policies for Office-apps and ADMX based policy in Intune??

ADMX based policy for Office in Intune, is all the GPO settings that are available for Office Pro Plus, to set them it requires that the device is managed by Intune.
Then the IT admin can set both user and device policies

Policies for Office-apps is a bit different, that applies to all Windows devices that has Office Pro Plus installed when the user signs into to Office. So that means that it applies to Domain joined, Azure Active Directive joined and Workgroup  devices.
The limitations is that it is only user polices – the advantages is that you as a IT admin can set policy like default file format even for Office installation on your users private devices. In my opinion  this helps helps the end user having a better end user experience on Office Pro Plus no matter where it is installed. Use it is configure the behavior of popop for the end user or for security settings that you really mean that the end user need to have on all devices.

The next question if – who wins??

ADMX or GPO will always win, so it you have a more restrictive policy from Intune that will will over policies for Office-apps.
I did a blog post about that – take a look at my previous blogpost “How to deploy Cloud-based user policies to Office ProPlus with out a management system”


Happy testing

Read more:

Overview of the Office cloud policy service for Office 365 ProPlus