Hello everyone, my name is Dave Guenthner, and I am a Senior FastTrack Architect (FTA) at Microsoft. The purpose of this blog is to share a recent customer problem and provide suggestions for resolution. Working in Fast Track, I speak with customers every day about their “Modern Endpoint” aspirations. A key concept is embracing Azure AD Join as the Microsoft recommended path for most new or repurposed devices. This is superbly outlined in blog posting Understanding hybrid Azure AD join and co-management. My customer was evaluating Microsoft’s Windows 365 (W365) solution and provisioned them as Azure AD Join only (substantial change from traditional Hybrid Azure AD Join to align with best practices).
The customer observed that the OneDrive client failed to start with the following notification, “Sorry, OneDrive can’t add your folder right now,” which delivered diminished user experience and overall W365 value proposition. While the user could access their OneDrive data from the browser, they were unable to synchronize content to local machine.
On the surface, this end user notification is not especially helpful. We discovered the customer had in the past set Set-SPOTenantSyncClientRestriction to set restrictions blocking sync from non-domain joined machines. This aligns to when customers did not have a cloud posture, most devices remained joined to a known on-premises Active Directory (AD DS). The idea was simple, only allow OneDrive client to synchronize to a device which was joined to a “known” and approved on-premises domain for security purposes. Do not allow OneDrive to synchronize corporate data to devices which are unknown and unprotected etc.You can confirm if this setting is present in your environment by navigating to SharePoint Admin Center, click Settings, then item below.
To reverse, unselect or clear the “Allow syncing only on computers joined to specific domains”checkbox below.
Note: This capability doesn't support Azure Active Directory or Workplace Joined devices.
While this solves the syncing problem reported by the customer, it does introduce new security concerns as any device can now synchronize data from OneDrive. The question is, how can we solve the problem without creating new security concerns? This is where “Zero Trust” principles based upon Verify explicitly, Use least-privilege access, and Assume breach come into play.
We can replace legacy SharePoint policy and leverage Conditional Access to empower users to be productive wherever and whenever while protecting the organization's assets. Unfortunately, there is no universal security configuration applicable to all customer environments. It requires cross-team collaboration between various customer teams to establish a new set of guiding principles on how to manage and protect corporate data.
Proposed Solution: (Simple example - Only allow Windows corporate devices such as AADJ or HAADJ)
From Azure Portal, go to Security, then to Conditional Access Policies. Create a new conditional access policy using filter for devices and add rule:
From Grant Controls, Block access
In this simple example, end user accessing M365 Portal via the web or attempting to sign into OneDrive client from an unknown device, other than corporate, will result in the following message.
From Azure Sign-in events, you can check the details of the Conditional Access success\failures and reason for decision.
Failure Example – Device is ‘Unknown,’ so rule applies, access blocked
Success Example - Device is ‘Known,’ so rule not applied, access granted
We all know the quote from the movie Spider-Man, “With great power comes great responsibility” which is perfect way to describe Conditional Access. It is so powerful, flexible, and frankly complicated due to the number of controls available, too exhaustive to list here. It is going to ask a lot of questions and require testing to ensure your security persona is met. However, it is the right way to align with Microsoft’s mission statement to “empower every person and every organization on the planet to achieve more.”