HOWTO: Disable Office for the Web for your Microsoft 365 users

Reading Time: 3 minutes

Office365

Office for the Web (previously known as Office Web Apps) is one of the nicest features in Microsoft 365. It allows people to view and interact with documents in their web browser, without the need to install or use any of the native Microsoft 365 apps. Alas, there are some privacy concerns, and some organizations are banned from using this feature.

 

Example: The Dutch government

On July 1st, 2019, the Dutch Minister of Justice and Safety and the Minister of Internal Affairs and Kingdom Relationships, have sent a letter to the Dutch Parliament Dutch, declaring that Office 365, Windows 10 and Azure are safe to use for Dutch Governmental organizations under the Dutch interpretation of the General Data Protection Regulation (GDPR, EU 2016/679). This, of course, is good news.

However, back then, and yesterday in its renewed privacy impact analyses, the Privacy Company Dutch have introduced a little challenge for Dutch governmental organization, because they feel Microsoft had not yet made sufficient changes to Office for the Web to guarantee the level of privacy needed:

  1. Microsoft sends personal data to Optimizely and Giphy.
  2. Microsoft behaves as an independent data controller for telemetry data and Controller Connected Experiences
  3. Some of the telemetry data contains personal data
  4. Admins do not have options to minimize telemetry in Office on the web
  5. Controller Connected Experiences in Office for the Web cannot be disabled
  6. Microsoft does not publish information on the telemetry data it collects.

Hence, Office for the Web cannot be used.

 

Disabling Office for the Web

Dutch governmental organization cannot use this technology, but how do you exclude the use of Office Web Apps, or Office for the Web as the technology is now labeled?

 

Can you apply a Conditional Access policy?

Nope.

Although many Dutch governmental organizations have licensed Microsoft 365, not all have access to Azure Active Directory Premium subscription licenses. If you don’t have these licenses, then you’re out of luck on Conditional Access.

 

Then … !?

The way Microsoft has implemented enabling or disabling Office Web Apps is through the license assignment for Microsoft Office Apps, or through Microsoft 365. Now, when you look at the license assignment options for these products, you’ll see an Office for the web item, that you can switch On or Off, depending on your needs.

This license assignment option is new, but many organizations have already assigned everything from their Microsoft 365 subscription licenses to all their government officials. Some have even needed to do so on a per-user basis, because their Azure AD tenant lacks Azure AD Premium…

For organizations with Azure AD Premium that have used the (dynamic) group assignment feature for licenses in Microsoft 365, disabling Office on the Web is straight forward. Follow these steps:

  1. Start a browser and navigate to the Azure AD Portal.
  2. Sign in with an account with Global Administrator privileges.
    Perform multi-factor authentication when prompted.
  3. In the left navigation menu, click Azure Active Directory.
  4. In Azure AD’s navigation menu, click Licenses.
  5. In the Licenses navigation menu, click All products.
  6. Click on the name the licensing product that contains the Office on the Web feature, like Office 365 E3, or Office 365 Apps for Business.
  7. In the Licensed users pane, in the left navigation menu click on Licensed groups.
  8. In the main Product Name | Licensed groups pane, select the group(s) that are used to assign the product. Then click on + Assign in the top action bar.
    The Assign license blade appears.
  9. In the Assign license blade, click on Assignment options.
  10. From the list of License options , switch the option for Office for the web from On to Off.

Change the OfficeForTheWeb license option to Off in the Azure Active Directory admin center (click for original screenshot)

  1. Click OK at the bottom of the blade to save the assignment and close the blade.
  2. On the Assign license blade, click the Assign button at the bottom of the blade to assign the new license options and close the blade.
  3. Sign out and close the browser.

 

Concluding

If your organization is banned from using the Office for the web functionality, or as an organization you want to ban the functionality because of the privacy concerns, do not assign the Office for the web license option.

One Response to HOWTO: Disable Office for the Web for your Microsoft 365 users

  1.  

    Hi,
    unfortunately I tried exactly your proposal in trying to restrict the use of the Forms app by creating a group in azure without access to this. Logging on to forms.office.com with my user's credentials, the user still has access to it even though they are only in this group.
    The only way that I have been able to restrict this access was by unticking the app in the user profile in the MS Admin Center and not the Azure AD Admin Center.
    This is tedious and only allows individual adjustment.
    If you have any hint as to why the inherited restriction does not work while only the direct licensing restriction does, please do not hesitate to share.
    Thanks and best,
    Sabina

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.