OneDrive Sync Resctrictions

Copper Contributor

We're looking to control OneDrive Sync on unmanaged devices, without affecting other apps like Teams. We also want to allow students to continue using the OneDrive sync app, so they need to be excluded.

So far we've found that the unmanaged devices conditional access policies that are created from Access Control in SharePoint Admin apply to all apps that access SharePoint Online, including Teams. This also seemed to sign-out our Teams desktop phones, which we did not expect. It also breaks any Teams chat that contains references to linked Files. We may be able to do something by utilising the Intune Registration option in Microsoft Authenticator, which soft joined personal devices, but we need to be careful as we do not want to take control of these.

The OneDrive Sync controls in SharePoint Admin only apply to Active Directory Domain joined devices, and we also can't exclude users from that.

Microsoft Defender App Control seems to just be for web apps.

App enforced restrictions seemed promising, but it looks like we would need to label each and every site one by one, and it's not clear how that would affect Teams either.

What we're looking to achieve is to limit the chances of encrypted files on a compromised unmanaged device being uploaded into SharePoint Online. We're happy to take the risk with student data, but staff have more access to sensitive information and so we are looking to protect this specifically. Accessing files directly from the web or from app like Teams, doesn't pose the same threat as OneDrive Sync appears to.

0 Replies