Forum Discussion
OneDrive for Business requiring occasional logon after migrating to using Conditional Access policie
We use OneDrive for Business very extensively. A couple of months ago, we implemented some new security policies using Conditional Access policies; the big change here was that all logins must originate from either an Azure Hybrid Joined workstation or from a compliant device enrolled in Office 365 MDM. This all worked fine.
Since implementing that, however, OneDrive occasionally will require you to sign in again in Windows. This was never an issue before. The symptoms are files saved to OneDrive in the cloud directly never sync back to our workstations. This happens when an end user saves a document from Word or Excel and chooses OneDrive as the location. It saves to cloud, but never syncs back locally. The OneDrive icon in the system tray will be perpetually showing the "Syncronizing" symbol (blue cloud with the arrows in a circle). It looks mostly normal but when you click on the OneDrive icon, it will tell you it needs to sign in. If you click Sign In it does not ask for your password; apparently seamless single sign on can supply that, but it does require answering an MFA prompt.
This doesn't seem to happen with Teams or Outlook. Also I'd think that seamless single sign on (which we have enabled) ought to take care of this. My end users don't really understand how OneDrive works since it's all mostly automatic so it never, ever occurs to them to check on its status until something weird starts happening like they are missing files.
I need to get OneDrive back to normal where it can stay logged in like Outlook and Teams does. Since this seemed to become a problem once conditional access policies were implemented, I'll detail that setup a little bit. We have a blanket policy that requires MFA for all logins. The policy targets "All cloud apps" in Target Resources. The Access Controls section, under Grant simply requires MFA. In Access Controls -> Session section, we have selected Persistent Browser Session -> Always Persistent.
We are not using Sign In Frequency in the CA policies.
What other settings should I be looking at?