Introduction

I realized there isn’t an official recommendation by Microsoft on how to design Cloud Policies, maybe because many companies just migrate (manually as there isn’t any automated or scripted method) what they have already done with Group policies, however I decided to put it in a blog article anyway because I did receive questions from my customers. 

Design approach

My chosen approach is the one that this article describes:

To structure policies related to common access needs and bundle a set of access needs in a persona for a group of users who have the same needs. Personas are identity types that share common enterprise attributes, responsibilities, experiences, objectives, and access.

Microsoft also recommends

…defining a separate persona for identities that are not part of any other persona group. This is called the Global persona. Global is meant to enforce policies for identities that are not in a persona group and policies that should be enforced for all personas

Contoso

As an example, I will take a fictitious company we all know, Contoso. 

Contoso is migrating from Group policies to Cloud policies, and they are also taking the opportunity to clean up some configurations. 

They export the current configured Group policies in an MHT file using the good old GPRESULT and start defining Personas. 

Contoso Personas

Every Persona has a corresponding Cloud Policy created: 

Cloud policy	Scope	Description
Early adopters	Security group	This persona configures policies enabling the use of features that are being evaluated to be enabled for the company, for example, a group of early adopters or chosen “champions”
IT	Security Group	This policy enables the use of policy settings that are being evaluated by IT that might be later released to early adopters.
Global	Tenant-wide	This is the global base policy affecting all the users unless any policy setting defined in other policies with higher priority overrides any setting, for example, if this policy disallows the use of Connected Experiences but any higher priority policy enables it for a certain group of users, that group of users will have it enabled.

Defining the Global policy

A Microsoft 365 Apps Cloud policy service has no defined global policies out-of-the-box, so Contoso administrators start by creating this Global policy and selecting the first choice “This policy configuration applies to all users” 

In the next page of the wizard the defined global settings are configured, if we notice the pre-created filters under “Select policy settings for this configuration” there are also 137 security baselines and 44 accessibility baselines:

Baselines

Baselines are defined by Microsoft as a group of policies with Microsoft-recommended values, for example, the policy Block Excel XLL Add-ins that come from an untrusted source is in Enabled state unless we decide to change the recommended default, the same for Accessibility baselines, for example, the policy Check for accessibility issues while editing is in enabled state by default. 

Contoso accepts the baselines recommended by Microsoft, so they focus on configuring the other settings they require as the global policy, based on the existent group policies and finish the creation wizard. The resultant tenant-wide policy should be at the bottom of the list (with the highest number).  

To be continued…