Blog Post

Core Infrastructure and Security Blog
3 MIN READ

Sorry, OneDrive can’t add your folder right now

DaveGuenthner's avatar
DaveGuenthner
Icon for Microsoft rankMicrosoft
Feb 15, 2023

Hi community, 

 

Introduction 

Hello everyone, my name is Dave Guenthner, and I am a Senior FastTrack Architect (FTA) at Microsoft.  The purpose of this blog is to share a recent customer problem and provide suggestions for resolution. Working in Fast Track, I speak with customers every day about their “Modern Endpoint” aspirations. A key concept is embracing Azure AD Join as the Microsoft recommended path for most new or repurposed devices. This is superbly outlined in blog posting Understanding hybrid Azure AD join and co-management. My customer was evaluating Microsoft’s Windows 365 (W365) solution and provisioned them as Azure AD Join only (substantial change from traditional Hybrid Azure AD Join to align with best practices).

 

Problem: 

The customer observed that the OneDrive client failed to start with the following notification, “Sorry, OneDrive can’t add your folder right now,” which delivered diminished user experience and overall W365 value proposition. While the user could access their OneDrive data from the browser, they were unable to synchronize content to local machine.  

 

On the surface, this end user notification is not especially helpful. We discovered the customer had in the past set Set-SPOTenantSyncClientRestriction to set restrictions blocking sync from non-domain joined machines.  This aligns to when customers did not have a cloud posture, most devices remained joined to a known on-premises Active Directory (AD DS). The idea was simple, only allow OneDrive client to synchronize to a device which was joined to a “known” and approved on-premises domain for security purposes. Do not allow OneDrive to synchronize corporate data to devices which are unknown and unprotected etc. You can confirm if this setting is present in your environment by navigating to SharePoint Admin Center, click Settings, then item below. 

 

To reverse, unselect or clear the “Allow syncing only on computers joined to specific domains” checkbox below. 

 

Note: This capability doesn't support Azure Active Directory or Workplace Joined devices. 

 

While this solves the syncing problem reported by the customer, it does introduce new security concerns as any device can now synchronize data from OneDrive. The question is, how can we solve the problem without creating new security concerns? This is where “Zero Trust” principles based upon Verify explicitly, Use least-privilege access, and Assume breach come into play.  

 

We can replace legacy SharePoint policy and leverage Conditional Access to empower users to be productive wherever and whenever while protecting the organization's assets. Unfortunately, there is no universal security configuration applicable to all customer environments. It requires cross-team collaboration between various customer teams to establish a new set of guiding principles on how to manage and protect corporate data.  

 

Proposed Solution: (Simple example - Only allow Windows corporate devices such as AADJ or HAADJ)  

From Azure Portal, go to Security, then to Conditional Access Policies. Create a new conditional access policy using filter for devices and add rule:  

 

 

From Grant Controls, Block access 

 

In this simple example, end user accessing M365 Portal via the web or attempting to sign into OneDrive client from an unknown device, other than corporate, will result in the following message. 

 

From Azure Sign-in events, you can check the details of the Conditional Access success\failures and reason for decision. 

Failure Example – Device is ‘Unknown,’ so rule applies, access blocked 

 

 

Success Example - Device is ‘Known,’ so rule not applied, access granted

 

Summary: 

We all know the quote from the movie Spider-Man, “With great power comes great responsibility” which is perfect way to describe Conditional Access. It is so powerful, flexible, and frankly complicated due to the number of controls available, too exhaustive to list here. It is going to ask a lot of questions and require testing to ensure your security persona is met.  However, it is the right way to align with Microsoft’s mission statement to “empower every person and every organization on the planet to achieve more.” 

 

 

Updated Feb 11, 2023
Version 1.0
DaveGuenthner
  • Dennis Harrison's avatar
    Dennis Harrison
    Copper Contributor
    Jul 07, 2023

    Here is a solution that worked for out company with a similar issue.

     

    1. Go to your Sharepoint admin center -> Settings ->OneDrive Sync and note down your domain GUID.

    2. Login to affected device and go to registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive

    3. Under above key, if AADJMachineDomainGuid key name is not present, create it as a string value and provide your Domain GUID which you copied in step 1 as a value to this key name. 

    4. Close registry (you do not need to reboot)

     

    You should now be able to log into OneDrive and start syncing.

     

    I deployed the registry key to all of our Windows 11 devices (these were the only devices with this issue) and all of them are working now.

  • SaadKhan's avatar
    SaadKhan
    Copper Contributor
    Jan 07, 2024

    In one of my encounters, client did not any Conditional Access or Intune, so I solved it like this. 

     

    Issue: OneDrive for Business, third-party tool used for migration which mess up something and this issue appeared for a few bunch of users. 
    Users can access their OneDrive from web, it's just not working one OneDrive client on desktops. 

    Error: Sorry, OneDrive can't add your folder right now.

    Troubleshooting:

    > User to navigate to OneDrive on the web. 

    > OneDrive settings > Return to classic OneDrive 

    > OneDrive settings (gear icon) > Site Content

    > Documents > vertical ellipsis (three dots) > Settings (Refer below)

     

    > Four things to check under "Version settings" and one under "Columns"

    1. Require content approval for submitted items? (Should be set to No) 

    2. Document Version History > if Drafts (minor) version is enabled. Number should be low. (about 40-50 or 100) 

    This is set under " Keep drafts for the following number of major versions:" 

    3. Draft Item Security: Any user who can read items
    4. Require Check Out: Set to No. 

     

    5. No columns should be set Required. (Refer below)

     

     

  • MorbrosIT's avatar
    MorbrosIT
    Copper Contributor
    Mar 21, 2024

    Tim_Schuchman From what I read even if you add the Azure GUID to the Sharepoint settings it still doesn't work.  I created a CAP I thought was correct and it still gave me the "Sorry" pop-up when trying to sync OneDrive from a AADJ machine.  Using Dennis' method and adding the GUID for our local AD into the registry worked.  I'm wondering if I need to disable the SPO restriction for the CAP policy to work properly.

  • janeelizan's avatar
    janeelizan
    Copper Contributor
    May 14, 2024

    Why this string is not getting added automatically for OOBE/initial login for either Windows 10 or 11?

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AADJMachineDomainGuid

  • mpatel130's avatar
    mpatel130
    Copper Contributor
    May 21, 2024

    We've having the same issue and adding the ADDJMachineDomainGuid to the registry didn't work. Where can I check the logs to see what's causing the issue?

  • MorbrosIT's avatar
    MorbrosIT
    Copper Contributor
    May 24, 2024

    mpatel130 I had this happen on another machine.  One machine I added the GUID and it worked fine and the other one it didn't.  I just ended up removing that setting in Sharepoint because we are moving to mainly Entra Joined machines.