Microsoft 365 - Creating and Managing Policy Groups (Departmental IT)
This document explains how departmental IT staff can take the first step toward achieving account policy compliance for their Office 365 users by creating the policy group structure in Manifest.
For an introduction to policy groups, please see Microsoft 365 - Using Policy Groups to Manage User Account Policy Compliance.
HIPAA: If you believe you or your university work may be influenced by HIPAA and you have questions about the use of policy groups within your organization, please contact your HIPAA Security Coordinator.
If you do not work within the guidelines of HIPAA and you are interested in using policy groups within your organization, please contact the DoIT Help Desk for more information.
What do I need to do?
Request a Manifest folder if you do not already have one for your department or organization (Manifest - Request a Manifest Folder).
Within your Manifest folder, create an "affiliation" group to contain your users and affiliates who need policy compliance and reporting (Manifest - Create a Group). Your "affiliation" group should be set up in the following ways:
Name the group using the following convention: "mydept-o365-policy-enforce"
Create/add the two groups listed below as members of your "affiliation" group:
Add a data-driven Manifest group for the UDDS of your users. Note: data-driven Manifest groups do not need to be created and can be added to your "affiliation" group referencing the following instructions: (Manifest - Data Driven Groups). Members of your data-driven Manifest group will be regularly updated to reflect current employees based on the UDDS number used.
Create an "ad-hoc" Manifest group to contain individuals who are not captured in your data-driven Manifest group. Please follow this naming convention: "mydept-o365-policy-ad-hoc". Once created, add your "ad hoc" group as a member of your "affiliation" group (Manifest - Manage Group Members).
Within your Manifest folder, create an "exclusion" Manifest group to contain individuals whose Office 365 account policy compliance will not be reported on or enforced. Please follow this naming convention: "mydept-o365-policy-exclusion".
- Within your Manifest folder, create an "admins" Manifest group to contain departmental IT administrators and others who you'd like to give the ability to run reports on the Office 365 account policy compliance of your selected users. Please use the following naming convention: "mydept-0365-policy-admins"
Contact UW-Madison's Office 365 Team and request they complete the setup of your policy groups. If not already in contact with UW-Madison's Office 365 Team regarding your policy groups, contact the DoIT Help Desk and request that the Office 365 Team complete the setup of your policy groups.
The image below is a visual representation of the complete policy groups structure.
Internal Notes
If the user is unable to set a forward or manage other settings within Wisc Administration site on their Office 365 account due to a security policy, please direct them to contact their local IT staff and HIPAA Security Coordinator to address this issue - O365 staff cannot override this action.
If a customer calls with a request for more information about policy groups or a request for assistance with their policy groups, please ask the questions below and record the customer's answers in the case notes before escalating to The Office 365 Technical/Functional Team:
- To which campus department or organization does the customer belong?
- Is this a request for help/information regarding existing policy groups or is it a request for help/information regarding setting up new policy groups?
When a customer contacts the Office 365 Team for a review of their policy groups structure in Manifest after initial creation, work with the Manifest Team (manifest@doit.wisc.edu) to complete the following steps:
- Office 365 Team creates a Manifest Sub Folder for the requestor's department in "uw:domain:office365.wisc.edu:policies". Sub Folder name should clearly reference requestor's department/group/organization.
- Office 365 Team grants Admin and Create privileges to the "uw:domain:wiscmail.wisc.edu:core_messaging_team" Manifest Group over requestor's department's Sub Folder.
- Office 365 Team grants Create privileges to the "uw:domain:wiscmail.wisc.edu:wiscmail_mail_system_admins" Manifest Group over requestor's department's Sub Folder.
- Office 365 Team creates the Manifest Group "Protocol_BlockReport" in the requestor's department Manifest Folder from Step 1.
- Office 365 Team grants Admin, Update, Read, and View privileges to the "uw:domain:wiscmail.wisc.edu:core_messaging_team" Manifest Group over "Protocol_BlockReport" Group.
- Office 365 Team grants Update, Read, and View privileges to the "uw:domain:wiscmail.wisc.edu:wiscmail_mail_system_admins" Manifest Group over "Protocol_BlockReport" Group.
- Office 365 Team creates the Manifest Group "Report_Admins" in the requestor's department Manifest Folder from Step 1.
- Office 365 Team grants Admin, Update, Read, and View privileges to the "uw:domain:wiscmail.wisc.edu:core_messaging_team" Manifest Group over "Report_Admins" Group.
- Office 365 Team grants Update, Read, and View privileges to the "uw:domain:wiscmail.wisc.edu:wiscmail_mail_system_admins" Manifest Group over "Report_Admins" Group.
- Office 365 Team makes requestor's "admins" group (format: [DEPT]-o365-policy-admins) a member of "Report_Admins" Group within requestor's department Manifest Folder from Step 1 within "uw:domain:office365.wisc.edu:policies".
- Office 365 teams emails manifest@doit.wisc.edu and requests that the "Protocol_BlockReport" Group be made a Composite Group that includes members from the requestor's "mydept-o365-policy-enforce" Group but excludes members from the requestor's "mydept-o365-policy-exclusion" Group.