cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

CAS Access Control - Restrict users using OneDrive Desktop Client

Mary_Yvette
Brass Contributor

‎May 06 2020 08:54 PM

‎May 06 2020 08:54 PM

CAS Access Control - Restrict users using OneDrive Desktop Client

Good day!

 

I created an Access policy in CAS to restrict the access to OneDrive and SharePoint Client only not including Teams Client. OneDrive, SharePoint and Teams are already added in the Conditional Access App Control. 

 

And this is the result that I have:

1. Click Sync Button in OneDrive Online ---- Block by Access Control

2. Click Sync Button of OneDrive in Teams Online ---- Sync was not blocked

4. For OneDrive that is already syncing to their local computer the files are still syncing.

5. Sign to Teams Client ---- Blocked

6. For users that are already logged-in to Teams Client they were able to open it and access OneDrive and SharePoint FIles and also click the sync button

 

Questions:

1. How to restrict those users that have already synced their OneDrive / SharePoint?

2. How to allow Teams Client and block the sync button?

3, How to block sync button in Teams Online?

 

Hoping for someone's help here. Thank you!

Labels:
1,701 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Mary_Yvette (Brass Contributor)
Joe Stocker

‎May 13 2020 12:57 AM

‎May 13 2020 12:57 AM

Solution

Re: CAS Access Control - Restrict users using OneDrive Desktop Client

MCAS can only protect web workloads, so it cannot be used to block the synchronization of OneDrive and SharePoint. To control syncing you need to configure domain join verification inside admin.onedrive.com and that will apply to both SharePoint and OneDrive sync. For more information on that feature read here: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestrict...

You cannot have a more restrictive policy for SharePoint without impacting Teams, because Teams has a dependency on SharePoint. For more information on the dependent services and how you can't have separate restrictions, view this article here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies

To block sync in Teams you have to disable it in the library settings as described here:
https://answers.microsoft.com/en-us/msoffice/forum/all/disable-sync-options-on-office-365-group-team...
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Mary_Yvette (Brass Contributor)
Joe Stocker

‎May 13 2020 12:57 AM

‎May 13 2020 12:57 AM

Solution

Re: CAS Access Control - Restrict users using OneDrive Desktop Client

MCAS can only protect web workloads, so it cannot be used to block the synchronization of OneDrive and SharePoint. To control syncing you need to configure domain join verification inside admin.onedrive.com and that will apply to both SharePoint and OneDrive sync. For more information on that feature read here: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestrict...

You cannot have a more restrictive policy for SharePoint without impacting Teams, because Teams has a dependency on SharePoint. For more information on the dependent services and how you can't have separate restrictions, view this article here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies

To block sync in Teams you have to disable it in the library settings as described here:
https://answers.microsoft.com/en-us/msoffice/forum/all/disable-sync-options-on-office-365-group-team...

View solution in original post

1 Like
Reply