Dec 16 2018 03:12 PM - edited Dec 16 2018 03:25 PM
We have mapped some of our file shares to sharepoint online document libraries (mainly document libraries inside modern communication sites). but i do not want user to be syncing the documents from un-manged devices, as this will put our documents in risk. so i read this article about how we can manage this risk Allow syncing only on computers joined to specific domains . so i have these questions:-
1. Question1. if i set the Sync setting to be "Allow syncing only on PCs joined to specific domains" , and i enter the domain GUID, will this prevent users from syncing the SharePoint's documents libraries from un-managed devices?
2. Question2. now the link mentioned the follow "This setting is only applicable to Active Directory domains. It does not apply to Azure AD domains. If you have devices which are only Azure AD joined, consider using a Conditional Access Policy instead." .. so i am not sure if in our case we are using AD domain OR Azure AD domains?
now if i search for the users , inside our "office 365" >> "users" >> "Active users".. then 95% of the users have the following "Sync with Active directory" under the "Sync Type" column, as follow:-
while 5% of the users have their "Sync Type" = "In cloud".. so does this mean if we restrict the one drive setting to be "Allow syncing only on PCs joined to specific domains", then it should prevent all users from syncing inside un-managed devices? in other words are we using AD domain OR Azure AD domains?
can anyone advice on the above 2 questions?
Thanks
Dec 16 2018 05:45 PM
Dec 16 2018 07:47 PM
@Chris Webb wrote:
Cloud only or synced don’t tell you if you are domain joined or not. You have to go to portal.azure.com and under azure ad check devices. If you have devices listed then they are azure ad joined. Otherwise they are domain joined(assuming all machines are joined to a domain and not stand alone).
As for the setting you get the domain guid and that should prevent machines from syncing not on the domain. Doesn’t mean I’d they are managed. If you have machines joined to azure ad then you setup conditional access to prevent the sync.
Ok thanks for the reply. now i went to "portal.azure.com" >> "Azure AD" >> "Devices", i can see that there are 80 devices listed with join type = "Azure AD Register".. so seems i have 80 users who are azure ad join, and i assume that the renaming users are join to active directory .
so in this case defining the domain GUID inside "OneDrive admin" >> "Sync" will not work for all users (the 80 users).. so i need to define conditional access to prevent the sync,, is this correct? and can you please mention the list of steps i need to follow to define conditional access?
Dec 16 2018 07:52 PM
Dec 16 2018 08:07 PM - edited Dec 16 2018 08:08 PM
@Chris Webb wrote:
Nope. Azuread registered means they are either workgroup machines or domain joined machines that are registered work accounts with your azuread. It would say explicitly azure ad joined if they were joined to azuread. Sorry forgot the registered devices show there :p. They could be mobile devices too. But either way. Azure ad joined would say that specifically.
OK thanks again for your help.
so in my case the devices are active directory join and not azure ad joined? and i can restrict the OneDrive sync from "OneDrive admin" >> "Sync" ? is this correct?
here is what i get exactly, where i think the devices are workstations (personal devices), since the version is 10,X.X , which i would assume that it is referring to windows 10?:-
Dec 16 2018 08:40 PM
Dec 17 2018 06:14 AM
@Chris Webb wrote:
Yes, turning on the OneDrive admin sync option should if it works correctly block any machine not domain joined form syncing.
Ok thanks for the reply. so in our case the machines are joint to Active Directory domains and not to Azure AD domains?? also is there another way to confirm this?
Thanks
Dec 17 2018 06:19 AM