Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2984: How to configure Office 365 for mobile devices using Group Policy

App Access Service ,   App Gateway Service ,   Mac & PC Management Service ,  

27 February,17 at 04:38 PM

Applies to: Centrify Identity Service

Does Centrify offer a Group Policy that can be used to configure ActiveSync profiles for mobile devices to access Office 365?

Centrify currently supports configuration and delivery of ActiveSync profiles that can be used with both Exchange and Office 365. Administrators can select between using Centrify cloud-based policy or Active Directory Group Policy.
  • Centrify cloud policy is managed from the Admin Portal via the "Policies" tab.
  • Active Directory based policy is managed using the Group Policy Management Editor. The policy templates are included with the Centrify Connector installation package and can be installed separately. Expand the Computer Configuration policies and look for the section titled "Centrify Cloud Management Settings".
          User-added image

It may be necessary to configure a separate policy depending on the device type:
  • iOS devices should use the Exchange Settings option listed under the "iOS Settings" policy section.
  • Samsung devices that support KNOX should use the Exchange Settings option listed under the "Samsung KNOX Device Settings" policy section.
  • Android devices (non-Samsung) should use "Touchdown Settings" policy section.

To configure an Exchange ActiveSync policy for mobile devices to sync with Office 365, use the following settings:
  1. Profile Name: Office 365 (or similar)
  2. Exchange ActiveSync host:
  3. Use SSL: enabled
  4. User name: the user account UPN ( is required for login to Office 365. You can use the variable  %{userPrincipalName} to automatically populate the username field with the full UPN of the user account

Example of Centrify policy configuration:

          User-added image

Example of Active Directory policy configuration:

          User-added image


Moving devices between policy sets or OU's linked with different policy options may be helpful to manage devices that belong to different user groups or mailbox configurations. For example, this method could also be used for configuring mobile devices using ActiveSync when performing mailbox migrations from Microsoft Exchange to Office 365. A policy could be created for the current OU and devices to leverage a mail profile that points to an Exchange server.  

When a user mailbox is migrated from Exchange to Office 365, the mobile device object could be moved to a different OU where the linked policy settings are inherited and deliver a mail profile pointing to Office 365. The policy would be delivered to the device and would prompt the user for the Office 365 password. After successful login to Office 365, the user's mailbox would synchronize to the device.

AD policy example settings for OU "Exchange Policy"AD policy example settings for OU "Office 365 Policy"
Username variable: mail
Mail server:
Username variable: userPrincipalName
Mail server:
           User-added image

Deciding on a best course of action to configure mobile policies will depend on how users will be migrated - all at once or in smaller groups. 

  • If all users are to be migrated as a single group, it is possible to remove the existing ActiveSync profile for mobile devices within the current policy and create a new profile for all devices. 
  • If smaller groups of users are to be migrated, it is permissible to create a new OU and GPO that duplicates existing restrictions, Wi-Fi, VPN, and the new EAS profile settings to be used with the new Exchange server (Office 365 for example). Simply move devices from the original container into the new container after migrating the user mailbox. The device will receive the updated policy settings based on the policy set in use - Centrify or AD Group Policy. Centrify policy updates every 15 minutes by default based on the Admin Portal settings while Active Directory Group Policy updates by default every 90 minutes with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is always updated when the system starts.


For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at




Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.