Microsoft 365 - Enforcing User Account Policy Compliance via Policy Groups (Departmental IT)

This document explains how departmental IT staff can use policy groups in Manifest to enforce technical restrictions on user accounts in Office 365, as part of an effort to achieve policy compliance.

HIPAA: If you believe you or your university work may be influenced by HIPAA and you have questions about the use of policy groups within your organization, please contact your HIPAA Security Coordinator.

If you do not work within the guidelines of HIPAA and you are interested in using policy groups within your organization, please contact the DoIT Help Desk for more information.

If you've created your policy group structure in Manifest and populated your groups; and you have run reports on the policy compliance of your users; you are ready to begin enforcing your policies by applying technical restrictions on your users' accounts. Currently, the technical restrictions that can be applied to user accounts are:
  • The prevention of setting an account auto-forward from the Wisc Account Admin site and creation of forward-to Inbox rules in Outlook on the web.

    • IMPORTANT: this restriction only applies to the Wisc Account Admin site initially. To extend this restriction to Outlook on the web, the user or departmental admin with delegated access to the user's account must take the following steps:
      1. Log into the Wisc Account Admin Site
      2. Navigate to the account over which the restriction will be enforced
      3. Click on "Office 365"
      4. Click on Forwarding
      5. Click on "Apply Restrictive Mailbox Policy" to prevent the creation of forward-to Inbox rules in Outlook on the web. Note: users may still set an account auto-forward from a desktop email client.
  • The prevention of enabling POP configuration protocol once they've been disabled. This WILL NOT disable these protocols if they are currently enabled; it will only prevent users from re-enabling the protocols.

To implement the policy controls described above, please contact the DoIT Help Desk, providing the name of your "affiliation" and "exclusion" policy groups in Manifest, and ask that your policy groups request be sent to UW-Madison's Office 365 Team, so they may implement the enforcement of your policies. The Office 365 Team will contact you to confirm the implementation of your technical policy controls and let you know when they are in effect for your users.