For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal computers. If the personal computers are not well secured, such as having encrypted drives and good antivirus software, or if the personal computers are shared with unauthorized people, then the corporate data could be exposed.

To address those concerns it’s possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. The general idea is that a domain-joined computer that is within the control of corporate IT will be more secure than the average personal computer that staff own. OneDrive sync restrictions can be configured using the OneDrive admin portal, or the SharePoint Online PowerShell module.

Before you can restrict OneDrive to domain joined computers, you first need to know the GUID of the Active Directory domains that will be allowed to sync. To retrieve the domain GUID, run the following command from a computer or server that has the Active Directory PowerShell module available.

[PS] C:\>(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}

Name                                  ObjectGuid
----                                  ----------
exchangeserverpro                     4764a27a-1465-445b-8697-ce1086805439

Next, connect to SharePoint Online and view the current sync restrictions. By default there are no sync restrictions configured.

PS C:\> Get-SPOTenantSyncClientRestriction


TenantRestrictionEnabled   : False
AllowedDomainList          : {}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

To enable sync restrictions and add the domain GUID to the allow domain list, run the following command.

PS C:\> Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "4764a27a-1465-445b-8697-ce1086805439"


TenantRestrictionEnabled   : True
AllowedDomainList          : {4764a27a-1465-445b-8697-ce1086805439}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

The sync policy change takes around an hour before it is effective. After the new configuration is in place, a user trying to add a OneDrive account to a computer that is not domain joined will receive an error message after they sign in and choose a location to sync to.

Sorry, OneDrive can’t add your folder at this time. Please contact support.

Restricting OneDrive Sync to Domain Joined PCs

Any existing sync relationships for computers that are not domain joined will begin showing a “sync blocked” message in the system tray, and when OneDrive is opened from the system tray will display a more detailed error message.

Your IT Department requires that you use a computer that is joined to an approved domain to sync this folder. For assistance, contact your IT Department.

Restricting OneDrive Sync to Domain Joined PCs

When you restrict OneDrive sync to specific domains you should be aware of the following caveats:

  • Computers that already have files synced to their local hard drive will not have the files removed.
  • The domain join requirement does not apply to Macs, however you can enable or disable Mac sync as a separate restriction in the OneDrive admin portal (or via PowerShell).
  • The policy will not restrict sync to mobile devices. For that you should use a device access policy, or use Intune.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Cameron

    You can only use letters, numbers and dashes in your domain. Spaces and other punctuation are not permitted. Also, if your ideal domain name is taken, you can try a few things to get around that:

    Search other extensions. All domain names have an extension like “.com” or “.net” or “.org”, amongst hundreds of others. While “.com” is seen as the original and therefore generally perceived as the most trustworthy amongst internet users, you can pretty much pick whatever extension you want. If possible, try and get a .com domain though.
    You can add small words to the front or end of the domain. Try inserting words like “my”, “the”, “best”, “top”, “online” or “all” to your domain. Hopefully you’ll arrive at a word combination for your domain that is available to register.
    Remember that dashes (-) are OK to use in domain names. So you could try and get jenns-blog.com or something similar, Visit https://www.hostt.com/ for more

  2. Phil

    Wondering if it is possible to have the restriction for only allowing Onedrive syncing for domain pcs and then make exception to allow 1 users personal onedrive on the same pc. I know kind of defeats the purpose, but I am asked to look into it.

  3. Hans Petter Malme

    Hi
    In our company we have a mix of Active Directory domain computers and Azure AD joined machines. As soon as we activated this setting OneDrive stopped working on the Azure AD computers, worked fine on domain computers, but the Azure AD clients stopped. Have anyone successfully deployed a CA rule to enforce that OneDrive only works on Corporate managed machines ?

    1. James

      Hi, really interested if you found a way around this other than limiting SharePoint to web only on unmanaged devices.

  4. John E

    How do you unlink a OneDrive account on a Mac once it’s been locked out of syncing?

    I’ve tried deleting the OneDrive item from
    System Preferences | Users & Groups | Login Items,
    but it keeps reinserting itself, and then launching at start up only to endless tell me it can’t sync.

    OK, fine, block me from syncing, but let me get into the client far enough to unlink OneDrive on the Mac from my domain account, and at the very least, don’t force auto-start an account with “sync problems.”

    1. John E

      Looks like I was able to shut down OneDrive and remove a settings directory:
      rm -r ~/Library/Application\ Support/OneDrive/settings/Business1

      and restart, and then setup a personal account.

      While testing, I also deleted the OneDrive synced directory (in my user folder), and some OneDrive plist files in my ~/Library/Preference, so I’m not sure what was the complete trigger.

  5. Simon P

    I can not get this to work consistently as described.

    I have a PC that is joined to the domain that cannot download or sync onedrive or sharepoint files.
    I have a PC NOT joined to any domain that CAN download or sync onedrive or sharepoint files.
    Both PC’s logged into Office 365 using the same account details (global admin, myself)

    Also, If I refresh my browser page (F5) this restriction is added, then removed, in other words its toggled on/off. This is happening on both IE and chrome.

    Have you any ideas what could be going on ?

  6. Ollie

    Great write up. I implemented this recently and probably locked out the whole group. AM I correct in assuming that the GUID I need to add is from your AD on-prem if you’re in a hybrid environment? I used the Directory ID in Azure which is why my users were locked out. Could you please clarify this?

  7. Salvador

    Hi Paul,

    We do not want it to Sync to users PC but keep the One Drive For Business on the Cloud open for users to save additional files. As, these are VDIs and they do not have space. We do not want to Sync 1TB to a VDI. So, how will we go about not allowing it to Sync to the Virtual Desktops.

    Appreciate your response.

    1. Ronald

      Hi Paul,

      Because we are talking about VDI’s, I assume that you have total control over all policies, applications and settings.

      In that case you just remove the OneDrive client from the VDI or disable it.
      This way you cannot sync the data because you will not give access to the OneDrive Sync client.
      You can use group policies for OneDrive, you can use applocker, remove the start of OneDrive in the registry, remove the application completely, etc. So many ways to do so.

      If you are looking for a good solution in the future to sync OneDrive data to VDI’s, take a look at FSLogics which is part of Microsoft now. It can also be used for ost files for caching exchange data for Outlook.

      Hope this helps.

  8. Emma

    very basic question for regular home user here!Before my company restricted our OneDrive for Business, I was accessing it from my home PC. I now get the second pop up described “Your IT Department requires that you use a computer that is joined to an approved domain to sync this folder. For assistance, contact your IT Department.”
    This all fine, I do not need access from my home computer. But how do I remove the OneDrive for Business folder from my Windows Explorer Sidebar? It is not in the Quick access menu, and when I try to click on the blue cloud in the system tray, the menu is blocked by the pop up, and then the icon disappears. Only way to bring it back, brings up the pop up which prevents me from opening the menu to unlink the account. Any suggestions?

    Thanks!

  9. Samuel A.

    What I gather from the article and comments is that this setting should not be used if you have Azure Active Directory joined machines? Instead, rely on CA policies? To me that leaves a gap.
    In my scenario, all computers are Hybrid Azure AD Joined, and we are looking to incorporate Azure AD joined machines as well.
    How about using the AAD tenant guid instead of the AD domain guid? That way computers, joined to the domain or not, are restricted to syncing data from the tenant only?

  10. Mr J

    Hi Paul,
    Any clues if it works by restricting sync of files to domain joined computers and or Mac computers are domain joined?

    Regards

  11. Navishkar Sadheo

    Hi Paul

    As always, thank you. I have this option enabled and it works fine for my domain joined machines. However I have my personal laptop that I would also like to sync my OneDrive with. Its not on any domain so I just entered the UUID of my laptop in the “allow syncing only on pcs joined to specific domains” section thinking it might work but it unfortunately it doesn’t. Is it even possible?

    1. Mr. Latrache

      Paul – Did you find a way to allow for an exception for a non domain joined PC

      1. Paul Cunningham

        No. I think if you’re trying to get to that level of control you will need to look at Azure AD conditional access policies instead.

  12. Dan Turnbull

    Hi Paul,

    I had this feature setup successfully against our Tenant ID.

    I tried to revert it back as one of our Directors has a workgroup laptop.

    In the OneDrive admin center, Unticking the “”Allow syncing only on PC’s joined to specific domains” ” tick box and removing the tenant ID.

    This disconnected everyones Onedrive sync clients.

    I don’t suppose you know a way of reverting back without affecting domain users OneDrive sync clients?

    I have to go back around re syncing Onedrive and Sharepoint libraries now 🙁

    Kind Regards

    Dan

    1. Dan Turnbull

      Managed to sort now, You have to Untick “Allow syncing only on PC’s joined to specific domains” but leave the Tenant ID in. It just takes an hour to take affect (As you mentioned)

  13. Egil

    Anyone been successfully in restricting sync to both on-prem domain or Azure domain joined machines ?

    1. E

      Having same issue. Don’t think this is possible or havn’t found a way as Azure AD machines report a Domain GUID as {00000000-0000-0000-0000-000000000000}.

  14. Juan

    Paul – This is great. Microsoft has made some changes like not allowing sync on Mac devices. You may want to update the article to reflect these changes.

  15. Nouha M.

    Hello, we are planning to restrict OneDrive Sync to Domain Joined PCs due to security requirements. One of the caveats you mentioned is the sync to Mobile Device. Not clear about Sync to Mobile Device. Are you referring to the ability to download a document offline with OneDrive for Business App?

  16. Juan Ramos

    This feature while great is a double-edged sword in the world of BYOD. I still can’t determine if this can work or will ever work with AzureAD joined machines (Win10). There is a need for additional granularity to manage sync to machines that are not truly “domain joined”

    I’ve tried with these GUIDS with no success:
    – AzureAdPrtAuthority : https://login.microsoftonline.com/
    – WamDefaultGUID: (AzureAd)

  17. Ted Larsen

    Thanks for this write up. I’m having some difficulties however. I ran the Get-ADForest command as instructed in your example, from my local domain-joined system at my place of business and received 3 ObjectGUID’s.

    I put all 3 GUID’s in the the “Allow box” and hit save. About 30 minutes later, my OneDrive Client (Which was previously syncing fine) showed the “Your IT Dept requires your machine be domain-joined” and OneDrive was blocked.

    I then turned off the block feature in the Portal, and within 10 minutes, I was able to sync again.

    In my specific example, the Object GUID’s that show up were: (names changed for privacy)

    apps (long GUID)
    Corporate (long GUID)
    Contosocompanies (long GUID)

    my machine is joined to a domain called
    corporate.contosocompanies.com

    Why does the Get-ADForest break up corporate and contosocompanies into two seperate GUID’s? I put both in the OneDrive Field seperated by a return, and it accepted it. However, it’s blocking my PC.
    Do I need to *combine* the corporate and contosocompanies GUID’s into one? Am I missing something obvious or am I looking in the wrong place for the proper GUID’s?

    1. Paul Cunningham

      You’re only entering the GUIDs? No other stray characters, spaces, anything like that?

      1. Ted Larsen

        Correct, just the GUID’s, separated by a return in the box (which it indicates should be done for multiple GUID’s) each one on a new line.

        I though I’d try just entering in one GUID, but I’m unsure which one I should try since it seems both GUID’s listed are just part of my complete domain. Should I just try the contosocompanies.com GUID?

        1. Paul Cunningham

          Use the GUID for the domain that your workstation is a member of.

          1. Ted Larsen

            Right, that’s the question I have though. My machine shows it is a member of:

            corporate.contosocompanies.com domain. But each of those (corporate and contosocompanies) have different GUID’s in the powershell results.

            when I put both GUID’s in the OneDrive Domain box, separated by a return, it started blocking my OneDrive sync. So it didn’t like that. I’m not sure why.

            I was next just going to try just putting contosocomopanies GUID by itself (since it’s the last half of the domain name my PC says it’s joined to). Just curious if you think that is the next thing to try. I don’t want to accidentally block syncing again if I can avoid it, as many of our users already use this sync and I don’t have a test domain to work with.

          2. Paul Cunningham

            Your PC isn’t a member of half a domain though.

            corporate.contosocompanies.com is a domain

            contosocompanies.com is a domain

            Domains can have parent-child relationships in an AD forest, but they’re still separate domains.

            Your PC is a member of one domain. Use the GUID for the domain your PC is a member of.

            I don’t have a multi-domain forest to test this with. If you’re still stuck getting it working then I recommend a support call to Microsoft. Also keep in mind that a trial tenant is free to set up and gives you 30 days to test with.

  18. Dan F

    Am i correct in thinking that even with locking this down to your domain GUID this only restricts using the Windows client, so people will still be able to log into the O365 portal from any browser and access OneDrive?

    1. Kai-Uwe Dzialas

      My understanding is the same as yours.
      This setting only affects the OneDrive Sync-Client, not the access by webbrowser.

    2. Paul Cunningham

      Yes, this impacts the sync client on Windows PCs (there is also the option there to block Mac sync client). Mobile devices are managed with the separate device controls, and access to the OneDrive web app is controlled with Azure AD conditional access.

  19. Ed Williams

    Thanks! My god this was SO difficult to find, thanks so much!

  20. Koos van Duijvenbode

    Will this also work with computers joined to the Azure AD?

    1. BL

      I don’t think so. I have added the GUID/Tenant ID but it does not work from my AD joined Windows 10 laptops. Hope to find a clarification.

  21. Maikel Kool

    Hi, can you explain this setting :

    The domain join requirement does not apply to Macs, however you can enable or disable Mac sync as a separate restriction in the OneDrive admin portal (or via PowerShell).

    Because I cannot find this restriction in the OneDrive admin portal.

    regards Maikel

    1. Paul Cunningham

      It might have been removed from the portal, but you can still use PowerShell to configure it.

    2. Kai-Uwe Dzialas

      Hi,

      I fund the setting in OD-Adminportal:

      First you check the box “Allow syncing only on PCs joined…”.
      Then click “Edit domains”
      Underneath the domain list is a checkbox “Block sync on Mac OS”

      Hope this helpes.

      Regards Kai.

  22. Joshua

    Does this also affect users who attempt to connect via WebDAV?

Leave a Reply