Prevent users from syncing their sharepoint document libs unless they are inside the company domain

Valued Contributor

We have mapped some of our file shares to sharepoint online document libraries (mainly document libraries inside modern communication sites). but i do not want user to be syncing the documents from un-manged devices, as this will put our documents in risk. so i read this article about how we can manage this risk Allow syncing only on computers joined to specific domains . so i have these questions:-

 

1. Question1. if i set the Sync setting to be "Allow syncing only on PCs joined to specific domains" , and i enter the domain GUID, will this prevent users from syncing the SharePoint's documents libraries from un-managed devices?

2. Question2. now the link mentioned the follow "This setting is only applicable to Active Directory domains. It does not apply to Azure AD domains. If you have devices which are only Azure AD joined, consider using a Conditional Access Policy instead." .. so i am not sure if in our case we are using AD domain OR Azure AD domains?

now if i search for the users , inside our "office 365" >> "users" >> "Active users".. then 95% of the users have the following "Sync with Active directory" under the "Sync Type" column, as follow:-

 

reeq.png

 

while 5% of the users have their "Sync Type" = "In cloud".. so does this mean if we restrict the one drive setting to be "Allow syncing only on PCs joined to specific domains", then it should prevent all users from syncing inside un-managed devices? in other words are we using AD domain OR Azure AD domains?

 

can anyone advice on the above 2 questions?

Thanks

7 Replies
Cloud only or synced don’t tell you if you are domain joined or not. You have to go to portal.azure.com and under azure ad check devices. If you have devices listed then they are azure ad joined. Otherwise they are domain joined(assuming all machines are joined to a domain and not stand alone).

As for the setting you get the domain guid and that should prevent machines from syncing not on the domain. Doesn’t mean I’d they are managed. If you have machines joined to azure ad then you setup conditional access to prevent the sync.

@Chris Webb wrote:
Cloud only or synced don’t tell you if you are domain joined or not. You have to go to portal.azure.com and under azure ad check devices. If you have devices listed then they are azure ad joined. Otherwise they are domain joined(assuming all machines are joined to a domain and not stand alone).

As for the setting you get the domain guid and that should prevent machines from syncing not on the domain. Doesn’t mean I’d they are managed. If you have machines joined to azure ad then you setup conditional access to prevent the sync.

@Chris Webb

Ok thanks for the reply. now i went to "portal.azure.com" >> "Azure AD" >> "Devices", i can see that there are 80 devices listed with join type = "Azure AD Register".. so seems i have 80 users who are azure ad join, and i assume that the renaming users are join to active directory .

so in this case defining the domain GUID inside "OneDrive admin" >> "Sync" will not work for all users (the 80 users).. so i need to define conditional access to prevent the sync,, is this correct? and can you please mention the list of steps i need to follow to define conditional access?

Nope. Azuread registered means they are either workgroup machines or domain joined machines that are registered work accounts with your azuread. It would say explicitly azure ad joined if they were joined to azuread. Sorry forgot the registered devices show there :p. They could be mobile devices too. But either way. Azure ad joined would say that specifically.

@Chris Webb wrote:
Nope. Azuread registered means they are either workgroup machines or domain joined machines that are registered work accounts with your azuread. It would say explicitly azure ad joined if they were joined to azuread. Sorry forgot the registered devices show there :p. They could be mobile devices too. But either way. Azure ad joined would say that specifically.

@Chris Webb

OK thanks again for your help.

so in my case the devices are active directory join and not azure ad joined? and i can restrict the OneDrive sync from "OneDrive admin" >> "Sync" ? is this correct?

here is what i get exactly, where i think the devices are workstations (personal devices), since the version is 10,X.X , which i would assume that it is referring to windows 10?:-

8080.png

 

Yes, turning on the OneDrive admin sync option should if it works correctly block any machine not domain joined form syncing.

@Chris Webb wrote:
Yes, turning on the OneDrive admin sync option should if it works correctly block any machine not domain joined form syncing.

@Chris Webb

 

Ok thanks for the reply. so in our case the machines are joint to Active Directory domains and not to Azure AD domains?? also is there another way to confirm this?

Thanks

They aren't Joined to azure ad because they would say Azure AD Joined in your devices list. If you want ot check for domain joined then you have to look at the machine, and Right click "This Computer" > Properties > and in the Computer name , domain , and workgroups settings section will say what the domain is if it's joined to one. You can also look in your local AD wherever you store your computers (Computers OU is default) to see devices joined to your domain as a whole.