Forum Discussion
Prevent users from syncing their sharepoint document libs unless they are inside the company domain
We have mapped some of our file shares to sharepoint online document libraries (mainly document libraries inside modern communication sites). but i do not want user to be syncing the documents from un-manged devices, as this will put our documents in risk. so i read this article about how we can manage this risk Allow syncing only on computers joined to specific domains . so i have these questions:-
1. Question1. if i set the Sync setting to be "Allow syncing only on PCs joined to specific domains" , and i enter the domain GUID, will this prevent users from syncing the SharePoint's documents libraries from un-managed devices?
2. Question2. now the link mentioned the follow "This setting is only applicable to Active Directory domains. It does not apply to Azure AD domains. If you have devices which are only Azure AD joined, consider using a Conditional Access Policy instead." .. so i am not sure if in our case we are using AD domain OR Azure AD domains?
now if i search for the users , inside our "office 365" >> "users" >> "Active users".. then 95% of the users have the following "Sync with Active directory" under the "Sync Type" column, as follow:-
while 5% of the users have their "Sync Type" = "In cloud".. so does this mean if we restrict the one drive setting to be "Allow syncing only on PCs joined to specific domains", then it should prevent all users from syncing inside un-managed devices? in other words are we using AD domain OR Azure AD domains?
can anyone advice on the above 2 questions?
Thanks
7 Replies
- Cloud only or synced don’t tell you if you are domain joined or not. You have to go to portal.azure.com and under azure ad check devices. If you have devices listed then they are azure ad joined. Otherwise they are domain joined(assuming all machines are joined to a domain and not stand alone).
As for the setting you get the domain guid and that should prevent machines from syncing not on the domain. Doesn’t mean I’d they are managed. If you have machines joined to azure ad then you setup conditional access to prevent the sync.
ChrisWebbTech wrote:
Cloud only or synced don’t tell you if you are domain joined or not. You have to go to portal.azure.com and under azure ad check devices. If you have devices listed then they are azure ad joined. Otherwise they are domain joined(assuming all machines are joined to a domain and not stand alone).
As for the setting you get the domain guid and that should prevent machines from syncing not on the domain. Doesn’t mean I’d they are managed. If you have machines joined to azure ad then you setup conditional access to prevent the sync.Ok thanks for the reply. now i went to "portal.azure.com" >> "Azure AD" >> "Devices", i can see that there are 80 devices listed with join type = "Azure AD Register".. so seems i have 80 users who are azure ad join, and i assume that the renaming users are join to active directory .
so in this case defining the domain GUID inside "OneDrive admin" >> "Sync" will not work for all users (the 80 users).. so i need to define conditional access to prevent the sync,, is this correct? and can you please mention the list of steps i need to follow to define conditional access?
- Nope. Azuread registered means they are either workgroup machines or domain joined machines that are registered work accounts with your azuread. It would say explicitly azure ad joined if they were joined to azuread. Sorry forgot the registered devices show there :p. They could be mobile devices too. But either way. Azure ad joined would say that specifically.
