Microsoft Adds MDM Features to Commercial Office 365

Users of certain Office 365 subscription plans will get expanded mobile device management (MDM) capabilities at no extra cost, Microsoft announced on Monday.

The new capabilities are "conditional access," "selective wipe" and certain device-level security compliance qualifications that IT pros can set, such as requiring devices to have "pin lock and jailbreak detection" to gain access to apps. They will be available to subscribers of most Office 365 Business, Enterprise, Government and Education plans.

Microsoft began rolling out the features to qualified users on Monday, with the rollout expected to be completed in four to six weeks, the company said.

While there's no charge for the new security capabilities, the announcement noted that other "advanced" management capabilities are optional. Getting access to those optional capabilities entails having a Microsoft Intune MDM subscription or Enterprise Mobility Suite licensing. The new free capabilities are enabled by Intune, as well as by Microsoft Azure Active Directory services, so Microsoft essentially has just carved out some of those capabilities and offered them at no cost to its Office 365 subscribers.

It's hard to tell from Microsoft's documentation which Office apps have the new free MDM capabilities. Office 365 subscribers get the traditional Excel, Outlook, PowerPoint and Word apps in a full suite that Microsoft calls "Office ProPlus." In addition, most Office 365 subscriptions (except for the Business Essentials plan) also include "online" Web-enabled Office apps accessed through a browser, as well as mobile Office apps. Possibly, the new free MDM capabilities only apply to the Office Web apps. It doesn't seem that the mobile apps get these new protections unless an organization also has an Intune subscription or Enterprise Mobility Suite licensing. Here's how a Microsoft spokesperson explained it:

If a customer wishes to manage all their company apps (including O365, Salesforce, Box, etc. etc.) -- you can simply step up to the full Microsoft EMS/Intune subscription -- they manage all apps, including Office mobile apps across different device types.

A Microsoft TechNet article shows that the new free "built-in" MDM capabilities in Office 365 subscriptions extend to iOS, Android and Windows Phone devices. For Windows devices, an Intune subscription is needed, according to the first table in that article. Consequently, it would seem that an Intune subscription would be required to get these management capabilities for a Windows tablet device.

Windows 10, still at the preview stage, isn't part of the current supported devices list for the new Office 365 MDM capabilities. The list just shows support for "Windows Phone 8.1, iOS 6 or later versions, Android 4 or later versions, Windows 8.1 and Windows 8.1 RT."

The new conditional access capability that's now part of Office 365 subscriptions is Microsoft's concept for the ability of IT pros to set certain conditions for devices before end users can access e-mail and Office documents. It's designed to protect access to Excel, PowerPoint and Word documents, as well as "other business applications," according to Microsoft's announcement. Organizations likely will need Intune for those other business applications, though, it seems.

Selective wipe is a security measure for lost or stolen devices. IT pros can use the Office 365 Admin Center to delete all information from a device or just the organizational data.

The device-level protections in Office 365 subscriptions let IT pros set conditions for user access. Users might be required to have a password of a certain complexity or length, for instance. The compliance specifications that can be set will vary depending on the device's operating system platform. For instance, IT pros can't force Android 4 (or greater) devices to prevent the use of simple passwords as a compliance criterion, nor can they compel Windows Phone 8.1 devices to not be jail broken, an according to Microsoft's TechNet description.

Some of Microsoft's Office 365 protection schemes are based on its Rights Management Service technology, but that's likely an extra cost for organizations managing mobile devices. Microsoft has frequently demonstrated an Office 365 capability that prevents copy-and-paste actions by end users, as demonstrated by Julia White, general manager of Microsoft Office product management, at Microsoft's TechEd event last year. However, that capability, which apparently taps the Azure Rights Management Service, will require having Enterprise Mobility Suite licensing in place. Microsoft has also described this technology as being built into Windows 10 through the use of container technology.

In a nutshell, it appears that the new free Office 365 MDM capabilities likely just apply to the use of Office Web apps. Specific mobile management capabilities will vary per the OS platform deployed. In other words, it's a complicated picture, and that complexity could help Microsoft sell its Enterprise Mobility Suite licensing or Intune subscriptions for organizations going down the MDM road.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.