SOLVED

CAS Access Control - Restrict users using OneDrive Desktop Client

Brass Contributor

Good day!

 

I created an Access policy in CAS to restrict the access to OneDrive and SharePoint Client only not including Teams Client. OneDrive, SharePoint and Teams are already added in the Conditional Access App Control. 

 

And this is the result that I have:

1. Click Sync Button in OneDrive Online ---- Block by Access Control

2. Click Sync Button of OneDrive in Teams Online ---- Sync was not blocked

4. For OneDrive that is already syncing to their local computer the files are still syncing.

5. Sign to Teams Client ---- Blocked

6. For users that are already logged-in to Teams Client they were able to open it and access OneDrive and SharePoint FIles and also click the sync button

 

Questions:

1. How to restrict those users that have already synced their OneDrive / SharePoint?

2. How to allow Teams Client and block the sync button?

3, How to block sync button in Teams Online?

 

Hoping for someone's help here. Thank you!

1 Reply
best response confirmed by Mary_Yvette (Brass Contributor)
Solution
MCAS can only protect web workloads, so it cannot be used to block the synchronization of OneDrive and SharePoint. To control syncing you need to configure domain join verification inside admin.onedrive.com and that will apply to both SharePoint and OneDrive sync. For more information on that feature read here: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestrict...

You cannot have a more restrictive policy for SharePoint without impacting Teams, because Teams has a dependency on SharePoint. For more information on the dependent services and how you can't have separate restrictions, view this article here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies

To block sync in Teams you have to disable it in the library settings as described here:
https://answers.microsoft.com/en-us/msoffice/forum/all/disable-sync-options-on-office-365-group-team...
1 best response

Accepted Solutions
best response confirmed by Mary_Yvette (Brass Contributor)
Solution
MCAS can only protect web workloads, so it cannot be used to block the synchronization of OneDrive and SharePoint. To control syncing you need to configure domain join verification inside admin.onedrive.com and that will apply to both SharePoint and OneDrive sync. For more information on that feature read here: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestrict...

You cannot have a more restrictive policy for SharePoint without impacting Teams, because Teams has a dependency on SharePoint. For more information on the dependent services and how you can't have separate restrictions, view this article here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies

To block sync in Teams you have to disable it in the library settings as described here:
https://answers.microsoft.com/en-us/msoffice/forum/all/disable-sync-options-on-office-365-group-team...

View solution in original post