Forum Discussion
Silently configure OneDrive using Windows 10 or domain credentials
Hi Priyanka
I added EnabaleADAL manually as well as import registry.
I am not sure how to do tracing, please advise and let me know what I need to trace.
Have you tested using MFA and ADFA, because we are using MFA with ADFS. I am not sure ADFS will support or not for Silent Auto Configuration.
Avian
I think I have confirmed that the silent config is not compatible with MFA. I was playing around with this all day and couldn't get it to work. Then I turned off MFA on my test account and just like that the silent config started working. Unfortunately, that means I won't be able to use this feature in my org, as MFA is a requirement. Hope this helps shed some light on your troubles.
Justin
Manuel_Martinez either should work whether it's a federated domain or managed. There are separate steps for federated vs managed, but the same process through azure ad connect hybrid setup wizard.
Does anybody know if we need an Azure AD Sync with an ADFS infrastructure or if Azure AD Sync with Password Sync will work as well?
in GPO explanation:
If you enable this setting, users who are signed in on the PC with the primary Windows account (the account used to join the PC to the domain) can set up the sync client without entering the credentials for the account. Users will still be shown One Drive Setup so they can select folders to sync and change the location of their One Drive folder.
So only admin, who have joined PC to domain can set up Onedrive silently???
Hello,
you need to run GPRESULT with admin rights. Launch a command prompt with administrator rights, and in the cmd window launch your GPRESULT command (including the option "/scope computer" if you only want to report on the GPO affecting the computer)
Michel
- Have you found away around the users having to hit the login button? I am also stuck here.
I would like to know this too. We don't have ADFS, will this work without it?
Does anybody know if we need an Azure AD Sync with an ADFS infrastructure or if Azure AD Sync with Password Sync will work as well? I'm still not able to get this working ...
Hi,
anyone have the idea why the GPO not applied on the registry?
I tried to run gpresult /H result.html and seems the gpo applied to the machine. but not applied in registry.
What i got sofar, SSO working
Got adsync running sso enabled for Office..
Computer\Policies\Administrative Templates\Onedrive
Allow syncing OneDrive accounts for only specific organizations
State
Enabled
Tenant GUID
<removed>
Enable OneDrive Files On-Demand
State
Enabled
Prevent OneDrive from generating network traffic until the user signs in to OneDrive
State
Enabled
Silently configure OneDrive using the primary Windows account
State
Enabled
The maximum size of a user's OneDrive for Business before they will be prompted to choose which folders are downloaded
State
Enabled
Tenant Path
<removed>
Value
50000
User\Policies\Administrative Templates\Onedrive
Coauthoring and in-app sharing for Office files
State
Enabled
Delay updating OneDrive.exe until the second release wave
State
Enabled
Prevent users from changing the location of their OneDrive folder
State
Enabled
Tenant Path
<removed>
Value
1
Prevent users from synchronizing personal OneDrive accounts
State
Enabled
Prevent users from using the remote file fetch feature to access files on the computer
State
Enabled
Set the default location for the OneDrive folder
State
Enabled
Tenant Path
<removed>
Value
%UserProfile%
Users can choose how to handle Office files in conflict
State
Enabled
Sts-adfs in trusted zone. EnableADAL off (0)
Configuration in ADFS
"/adfs/services/trust/13/windowstransport": Enabled
However this is only internal, external this is disabled
The users use a different UPN Suffix than the Domain Name.
The email address is populated, When I start Onedrive with:
"C:\Program Files\internet explorer\iexplore.exe" odopen://sync?useremail=<email>
The email address is not populated, When I start Onedrive with:
%LocalAppdata%\Microsoft\OneDrive\OneDrive.exe odopen://sync?useremail=<email>
However, still the users need to hit the Login button. Anyone stuck, feel free to duplicate my settings and try to fix the Login automation.
I'm on the exact same page you'r stuck at.
Our config:
ADFS internal, Netscaler as WAP external
Internal clients have recieve internal ADFS IP from DNS
STS is in trusted zone
I got the population working by starting:
"C:\Program Files\internet explorer\iexplore.exe" odopen://sync?useremail=<email>
because using %LocalAppdata%\Microsoft\OneDrive\OneDrive.exe odopen://sync?useremail=<email> does not populate
Still users are required to hit the login button.... that's where i'm stuck
Does anybody know, what microsoft means with the primary Windows account in the setting "Silently configure OneDrive using the primary Windows account"?
The name of that setting was "Silently configure OneDrive using Windows 10 or domain credentials" - so do they still support using domain credentials?
I'm not able to get this setting working - we use Azure AD Connect to put our local domain users to Azure AD and Office365.
- I have not been able to work on this yet. Will try to remember to post here when I do.
Anyone made some progress?
- Darn. Was hoping my first post here would have been helpful. Sounds like I may run into the same issue when we finally have time to start testing this. If I manage to find a solution I'll share it. Hopefully Microsoft will get it working. Guessing that's why the feature is still labeled preview.
- Thanks for the suggestion, Ted. Unfortunately, we already have our corporate IPs exempted from MFA so that 2-factor is not required while inside a company office. Somehow, that doesn't seem to apply to the OneDrive silent config, though I can't understand how/why.
Justin Holloman wrote:
Hi Avian,
I think I have confirmed that the silent config is not compatible with MFA. I was playing around with this all day and couldn't get it to work. Then I turned off MFA on my test account and just like that the silent config started working. Unfortunately, that means I won't be able to use this feature in my org, as MFA is a requirement. Hope this helps shed some light on your troubles.
Justin
Justin,Try whitelisting your work's public IP address in your MFA policy. That should allow the feature to work as MFA would essentially be off inside your network due to the whitelist. MFA would still be required when users log in while outside your network though.
I just started looking into the silent config feature myself so haven't even started testing it yet. However, we already have whitelisting for MFA setup and it works great. Instances where MFA can get in the way are no longer an issue, so long as the user or device is in the building.
Hope this helps.
Thanks for clarification Justin.
I will wait once OneDrive Silent Aithentication start supporting MFA.
