March 22, 2023

An image of the Microsoft Loop app on a desktop device.An image of the Microsoft Loop app on a desktop device.


As organizations continue to evolve in these dynamic times, they need modern tools that can embrace ambiguity and enable people to work where and how they want to in order to be effective. Microsoft Loop is the perfect solution for your teams to think, plan, and create together, like never before, even when they’re not in the same place. It’s a transformative co-creation experience that brings together teams, content and tasks across your tools and devices. It is a new app that combines a powerful and flexible canvas with portable components that stay in sync and move freely across Microsoft 365 apps. Learn more here.


 


We are excited to announce that Microsoft Loop is now in Public Preview! The Loop app is opt-in during our Public Preview, so as an IT Admin, you need to follow the steps below for your users to experience it, otherwise it is disabled. Once enabled, you and the people in your organization can try it today at: https://loop.microsoft.com/


 


Why enable it for your organization?


 


You can empower your organization and join the modern workplace movement by enabling Loop. Loop lets your team collaborate seamlessly, even when working remotely and in hybrid environments. With Loop, you can create and share Loop components-portable pieces of content that sync across all the places they have been shared including, Microsoft Teams, Outlook, Word for the web, Whiteboard, and the Loop app. These components are always up to date, regardless of where they’re shared, and your team can edit them inline from those applications. The Loop app itself enables your teams to collect everything they need for a project in one place, enabling them to think, plan and create together.


 


Learn more about the end-user value of the Loop app here in our announcement blog.


 


How do I enable Loop app for my organization?


 


All the information you need is in our Loop admin settings documentation. This Microsoft Learn article offers a screen-by-screen version of the same guidance.


 


Overview of steps


 



  1. Create a security group that will contain all the users in your organization who you want to grant access to the Loop app during Public Preview.

  2. Create a Cloud Policy, scoped to the security group you created above, to enable the Loop app.

  3. Wait an hour or so for the setting to propagate and log in to Loop!

  4. Ensure your firewall rules allow all the appropriate services.


 


Creating a Security Group


 


There are two ways to create the group. You can create a dynamic security group, which can be populated with user accounts via queries, or you can create a static security group, which is populated manually by you, the IT admin.


 


Dynamic Security Group


 


Source: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/use-dynamic-groups


 


What are dynamic groups?


 


A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the Azure portal. Administrators can set rules to populate groups that are created in Azure AD based on user attributes, such as user type, department, or country/region. Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about dedicated groups in Azure Active Directory.


 


Prerequisites


 


Azure AD Premium P1 or P2 licensing is required to create and use dynamic groups. Learn more in Create attribute-based rules for dynamic group membership in Azure Active Directory.


 


Creating an “all users” dynamic group


 


You can create a group containing all users within a tenant using a membership rule. When users are added or removed from the tenant in the future, the group’s membership is adjusted automatically.


 



  1. Sign into the Azure portal with an account that is assigned the Global administrator or User administrator role in the tenant.

  2. Select Azure Active Directory.

  3. Under Manage, select Groups, and then select New group.

  4. On the New Group page, under Group type, select Security. Enter a Group name and Group description for the new group.

  5. Under Membership type, select Dynamic User, and then select Add dynamic query.

  6. Above the Rule syntax text box, select Edit. On the Edit rule syntax page, type the following expression in the text box:
    user.objectId -ne nulluser.objectId -ne null

  7. Select OK. The rule appears in the Rule syntax box: 



An image demonstrating how to create a Dynamic membership rule for a new group in the Azure portal.An image demonstrating how to create a Dynamic membership rule for a new group in the Azure portal.


8. Select Save. The new dynamic group will now include B2B guest users and member users.


9. Select Create on the New group page to create the group.


 


Creating a group of members only


 


If you want your group to exclude guest users and include only members of your tenant, create a dynamic group as described above, but in the Rule syntax box, enter the following expression:


(user.objectId -ne null) and (user.userType -eq “Member”)


 


The following image shows the rule syntax for a dynamic group modified to include members only and exclude guests:


 


An image demonstrating the configuration of Dynamic membership rules in the Azure portal.An image demonstrating the configuration of Dynamic membership rules in the Azure portal.


Static Security Group


 


Source: https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-edit-or-delete-a-security-group


 


Add a security group


 



  1. In the Microsoft 365 admin center, go to the Groups > Groups page.

  2. On the Groups page, select Add a group.

  3. On the Choose a group type page, choose Security.

  4. Follow the steps to complete creation of the group.


 


Add members to a security group


 



  1. Select the security group name on the Groups page, and on the Members tab, select View all and manage members.

  2. In the group pane, select Add members and choose the person from the list or type the name of the person you want to add in the Search box, and then select Save.


Note: To remove members, select [X] next to their name.


 


Creating a Cloud Policy


 


Source: https://techcommunity.microsoft.com/t5/microsoft-365-blog/how-to-secure-your-remote-workers-with-office-cloud-policy/ba-p/1308579. Make sure to also check out this video to walk you through these steps:  The New Office Cloud Policy Service.


 


The instructions below assume you have already created a security group as instructed above. Please note, Cloud Policy requires a Security group, you cannot create the group in config.office.com.


 


1. Login into https://config.office.com with your administrator account and choose Customization > Policy Management > Create to create a new policy for the Loop App in your tenant. You can name the policy as you please. In the image example below, we named it, “Loop Policy”:


 


An image of the Policy Management tab in the Microsoft 365 Apps admin center.An image of the Policy Management tab in the Microsoft 365 Apps admin center.


2. In Assignments, choose whether this policy applies to users of locally installed Microsoft 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web. Assign a Security Group to scope your policy. In the image example below, we used the previously created Loop app Security Group. Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.


An image of the "Choose the scope" page on the Policy Management tab in the Microsoft 365 Apps admin center.An image of the “Choose the scope” page on the Policy Management tab in the Microsoft 365 Apps admin center.


3. Configure the Loop app policy “Create and view Loop files in Loop.”


a. Note: If you also need to change the default configuration of Loop component integrations across M365 apps (they are all default ON if you do nothing), or specifically need to change the default configuration of Loop components in Outlook (they are default ON if you do nothing), this is the same part of the process where you would configure.


b. Note: Also, if you have disabled some of the green highlighted feedback features, please reset them to default or enable them in order to ensure that your organization can send high quality and actionable feedback to our product engineering team. Specifically, the three items highlighted in green in the image below: “Allow users to submit feedback to Microsoft,” “Allow users to include screenshots and attachments when they submit feedback to Microsoft,” and “Allow user to include log files and content samples when they submit feedback to Microsoft.”


 


An image of a list of Loop policies specifying the platforms and applications they can be applied to and the status of each policy's configuration.An image of a list of Loop policies specifying the platforms and applications they can be applied to and the status of each policy’s configuration.


An image providing examples of policy settings available for configuration in the Microsoft 365 Apps admin center.An image providing examples of policy settings available for configuration in the Microsoft 365 Apps admin center.


An image demonstrating drop-down menu options available for Configuration settings for the Loop files policy in the Microsoft 365 Apps admin center.An image demonstrating drop-down menu options available for Configuration settings for the Loop files policy in the Microsoft 365 Apps admin center.


4. Click Save.


5. Log into https://loop.microsoft.com to test with:


a. An account you enabled (it’s included in your security group in the steps above).


b. An account you disabled (it’s NOT included it in your security group in the steps above).


 


Loop service requirements: Enabling traffic through your firewall


 


If you use firewall rules, ensure connections to Loop services are enabled; they are the same services you’ve already enabled for Office 365, including web sockets. Read more here, and ensure you’ve enabled the services documented here: Office 365 URLs and IP address ranges.


 


Conclusion


 


When Loop is disabled or users don’t have access, they will see this screen:


 


An image demonstrating the message that will display when Loop is disabled or users don't have access to the app: "The Loop app is not enabled in your organization."An image demonstrating the message that will display when Loop is disabled or users don’t have access to the app: “The Loop app is not enabled in your organization.”


When Loop is enabled, they will see the Loop app!


 


An image of the Microsoft Loop app providing an example workspace titled, "Project home."An image of the Microsoft Loop app providing an example workspace titled, “Project home.”


Helpful resources



 


More information about Loop components in the Microsoft 365 ecosystem:



 


Continue the conversation by joining us in the Microsoft 365 community! Want to share best practices or join community events? Become a member by “Joining” the Microsoft 365 community. For tips & tricks or to stay up to date on the latest news and announcements directly from the product teams, make sure to Follow or Subscribe to the Microsoft 365 Blog space!

You May Also Like…