I was working on restricting one drive for business client access as we were not able to use conditional access.
Fortunately one-drive provides a way at-least for the client to be restricted to the Active directory domain.
This feature is beneficial for many customers that want users to avoid synchronize data on their personal computers, there are still many limitations with this feature.
- MAC’s are not covered.(you can block but you can’t identify if these are personal or corporate)
- Mobile clients can still synchronize the files from one drive.(device access policies to be used)
- users can still use browser access.
- existing synchronized data will not be erased.
Conditional access is the better way but where not possible this can add some level of control.
Here is what you have to do to enable it, first get the GUID of your Active directory domain:
Use Import-Module Activedirectory so that you are able to run AD shell commands.
Next get all the domains available in your AD forest.
Get the objectguid for the domain that you want synchronization to be restricted.
Get-ADDomain “Domain” | select objectguid
Now you need to logon to one drive admin portal
Click on Sync –> check Allow syncing only from Pcs joined to specific domains.
In the edit domain add the GUID for the domains that you wish to allow for synchronization, rest all will be blocked.
You have the option to block MAC as well..
Save the settings & you are done, wait for changes to happen , it can take up to few hours to take effect.
Ones this configuration is applied user on personal computers will receive an error if they try to sync from one drive from your tenant.
Sorry, OneDrive can’t add your folder at this time. Please contact support
I hope this configuration will assist your organization if you are planning restriction of one drive client.
Thanks for reading