SOLVED

Block OneDrive sync on non-domain joined devices

Contributor

Hi everyone

 

We're in a bit of a pickle. There are several on-prem ADs syncing to our tenant and we have blocked OneDrive sync on non-domain joined machines via the domainGUID list in OneDrive Admin Center.

Works great and all is well.

Now one of our companies decided to go full cloud but of course, since that switch (their computers are now AADJ), they cannot use the OneDrive client to sync anymore.

I have tried adding the tenantID of our Azure Active Directory on the domainGUID list but that does not work (would have been too easy :) ).

Most of what I read explains about how to use conditional acces policies when faced with Azure AD joined devices but there does not seem to be any information about how to deal with this in mixed environments.

 

Even if I setup a CA policy for those users, they would still be blocked from syncing due to the domainGUID restriction on ODFB admin center. I don't want to stop using that because that would open up sync to any device.

The on-prem devices are not HAADJ so I cannot go purely CA either.....

 

Does anyone know of a workable solution that would fit in this scenario?

3 Replies
best response confirmed by Steve Hernou (Contributor)
Solution

It's simply not supported for AADJ devices, as mentioned for example here: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestrict...

 

Either remove the restrictions altogether or tell those users to stop bothering you :)

Thanks for the feedback @Vasil Michev , I was afraid this might be the case :)

 

If I would get all on-prem AD joined devices from the different forests in an HAAJ state, could I then use a CA policy scoped on OneDrive/SharePoint and 'modern apps' to block sync except for HAAJ or compliant devices?

I know you can remove the sync and/or download button from the web experiece using CA but not sure if you can actually block sync altogether (i.e. when launching onedrive.exe and logging in).

I just want to make sure nobody syncs onedrive/sharepoint data onto an unmanaged device.

That should work. You can also configure IP-based restrictions, either via CA policy or directly from the OneDrive admin center.