ODFB sync issue - AAD joined Autopilot devices

%3CLINGO-SUB%20id%3D%22lingo-sub-279095%22%20slang%3D%22en-US%22%3EODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279095%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20deploy%20a%20device%20using%20Autopilot%20and%20AAD%20joined%20my%20ODFB%20is%20not%20getting%20synchronized%20due%20to%20its%20restriction%20only%20for%20Domain%20joined%20device%20by%20GUID.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20their%20any%20way%20to%20make%20the%20sync%20work%20in%20AAD%20joined%20device%20with%20out%20disabling%20the%20current%20sync%20restriction.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEarly%20help%20will%20be%20much%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-279095%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279359%22%20slang%3D%22en-US%22%3ERe%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279359%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20have%20limited%20M365%20E3%20license.%20If%20I%20remove%20the%20restriction%20and%20enable%20CA%2C%20How%20can%20I%20control%20the%20sync%20on%20Windows%207%2F8%20domain%20joined%20and%20personal%20devices.%20For%20CA%20to%20work%20the%20device%20should%20be%20registered%20in%20AAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279348%22%20slang%3D%22en-US%22%3ERe%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279348%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%20but%20if%20he%20needs%20both%20could%20be%20an%20issue.%20Also%20perhaps%20he%20doesn't%20have%20P1%20licensing%2C%20but%20I%20guess%20to%20get%20it%20you%20have%20to%20give%20into%20P1%20once%20going%20cloud%20anyway%20%3AP.%20You%20would%20think%20that%20restriction%20could%20be%20smart%20enough%20to%20tell%20if%20your%20domain%20joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESwaminathan%20what%20you%20might%20have%20to%20end%20up%20doing%20is%20doing%20write%20back%20computer%20accounts%2C%20that%20might%20be%20able%20to%20work%20as%20well%20but%20at%20this%20point%20it's%20hard%20to%20100%25%20tell%20how%20that%20check%20actually%20works.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%26nbsp%3Bmay%20be%20able%20to%20enlighten%20us%20on%20this%20how%20it%20works%20from%20a%20technical%20side%20of%20things%20and%20if%20doing%20both%20is%20an%20option%20without%20a%20CA%20or%20some%20form%20of%20computer%20write%20back.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20swore%20at%20my%20previous%20company%20my%20laptop%20was%20azure%20joined%20only%20and%20I%20was%20able%20to%20sync%20OneDrive%20and%20we%20had%20the%20domain%20restriction%20set.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279333%22%20slang%3D%22en-US%22%3ERe%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279333%22%20slang%3D%22en-US%22%3E%3CP%3EAAD%20join%20and%20domain%20join%20are%20two%20very%20different%20things%2C%20I%20wouldn't%20expect%20the%20first%20to%20work%20in%20a%20scenario%20where%20you%20have%20configured%20domain-based%20restrictions%20on%20your%20ODFB.%20Perhaps%20you%20should%20look%20into%20configuring%20a%20CA%20policy%20that%20requires%20AAD%20joined%20device%20instead%20of%20using%20the%20domain%20restrictions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279185%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279185%22%20slang%3D%22en-US%22%3EYou%20might%20have%20to%20give%20it%20some%20time%20to%20propagate.%20Running%20that%20powershell%20command%20I%20linked%20in%20that%20article%2C%20does%20it%20return%20the%20same%20guid%20as%20your%20on-prem%20domain%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279183%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279183%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EBoth%20GUID%20are%20different.%20I%20tried%20adding%20My%20Tennent%20GUID%20but%20still%20not%20working.%20Any%20other%20possible%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279168%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279168%22%20slang%3D%22en-US%22%3ENot%20sure%20if%20it's%20the%20same%20or%20not%2C%20but%20if%20you%20go%20to%20portal.azure.com%20login%20with%20your%20global%20admin%20account.%20Then%20under%20Azure%20active%20directory%20on%20the%20left%20site%2C%20then%20properties.%20Add%20your%20Directory%20ID%20to%20the%20list%20if%20it's%20a%20different%20GUID.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279148%22%20slang%3D%22en-US%22%3ERE%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279148%22%20slang%3D%22en-US%22%3EYes.%20But%20the%20problem%20is%20with%20my%20AAD%20joined%20device.%20In%20Domain%20joined%20device%20its%20working%20perfectly.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279146%22%20slang%3D%22en-US%22%3ERe%3A%20ODFB%20sync%20issue%20-%20AAD%20joined%20Autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279146%22%20slang%3D%22en-US%22%3EAssuming%20you%20used%20the%20azure%20ad%20powershell%20and%20got%20your%20domain%20guids%20on%20365%20side%20and%20added%20them%3F%20%3CA%20href%3D%22https%3A%2F%2Fwww.c-sharpcorner.com%2FBlogs%2Fonedrive-allow-syncing-only-on-computers-joined-to-specific-domains%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.c-sharpcorner.com%2FBlogs%2Fonedrive-allow-syncing-only-on-computers-joined-to-specific-domains%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi,

 

When I deploy a device using Autopilot and AAD joined my ODFB is not getting synchronized due to its restriction only for Domain joined device by GUID. 

Is their any way to make the sync work in AAD joined device with out disabling the current sync restriction.

 

Early help will be much appreciated.

 

8 Replies
Highlighted
Assuming you used the azure ad powershell and got your domain guids on 365 side and added them? https://www.c-sharpcorner.com/Blogs/onedrive-allow-syncing-only-on-computers-joined-to-specific-doma...

Highlighted
Yes. But the problem is with my AAD joined device. In Domain joined device its working perfectly.
Highlighted
Not sure if it's the same or not, but if you go to portal.azure.com login with your global admin account. Then under Azure active directory on the left site, then properties. Add your Directory ID to the list if it's a different GUID.
Highlighted

Hi,

Both GUID are different. I tried adding My Tennent GUID but still not working. Any other possible solution?

Highlighted
You might have to give it some time to propagate. Running that powershell command I linked in that article, does it return the same guid as your on-prem domain?
Highlighted

AAD join and domain join are two very different things, I wouldn't expect the first to work in a scenario where you have configured domain-based restrictions on your ODFB. Perhaps you should look into configuring a CA policy that requires AAD joined device instead of using the domain restrictions?

Highlighted

Yeah but if he needs both could be an issue. Also perhaps he doesn't have P1 licensing, but I guess to get it you have to give into P1 once going cloud anyway :P. You would think that restriction could be smart enough to tell if your domain joined.

 

Swaminathan what you might have to end up doing is doing write back computer accounts, that might be able to work as well but at this point it's hard to 100% tell how that check actually works. 

 

@Stephen Rice may be able to enlighten us on this how it works from a technical side of things and if doing both is an option without a CA or some form of computer write back. 

 

I swore at my previous company my laptop was azure joined only and I was able to sync OneDrive and we had the domain restriction set. 

 

 

 

Highlighted

I do have limited M365 E3 license. If I remove the restriction and enable CA, How can I control the sync on Windows 7/8 domain joined and personal devices. For CA to work the device should be registered in AAD.