OneDrive - Allow sync only from compliant devices

StephanG 826

Can someone help us please with this? https://learn.microsoft.com/en-us/sharepoint/enable-conditional-access

We get nowhere and it mentions our use case right there: "For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune)." How can we achieve that?

We already: opend up a support case, tried Discord, tried X (former Twitter ;) ), set up a Dev Tenant and played around to find the right setting (very time consuming).

Stephan

3 answers

Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-06T02:20:11.4333333+00:00

Hi @StephanG

Did the administrator set Require device to be marked as compliant (Microsoft Intune) within a Conditional Access policy to grant or block access to resources?

For more information about compliance policies, see Set rules on devices to allow access to resources in your organization by using Intune.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
StephanG 826 Reputation points

2024-12-06T06:13:37.1033333+00:00

Thanks for your response. Sorry for being unclear. We only want to block the sync on non-compliant devices - as the document says.
We have external freelancers (BYOD) that are allowed to use Teams as an App or even Outlook - but they are not allowed to sync all files to their files.
Also guests should not be able to sync the files but should be able to access the cloud apps they have access to and even use the Teams App to access.

If the document is valid - this should be possible. And is a "normal" usecase in my opinion. You can do that for AD devices - so it should be possible for Intune too
https://learn.microsoft.com/en-us/sharepoint/allow-syncing-only-on-specific-domains

BR

Stephan

Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-06T08:59:33.86+00:00

Hi @StephanG

Thanks for your reply. According to your description, you may create a policy for specific users:

Sign into Microsoft Intune Admin Center > Devices > Conditional Access under Manage Devices > Create new policy.

Name a policy.

For "Users", you may tick the box of "Guest or external users". You can choose a test user and test it out first.

For "Target Resources", you may select resources, enter "Office 365", then choose "Office 365 SharePoint Online".

For "Network", you may set based on your needs.

For "Conditions", you may set the "Device Platforms". The "Client Apps", you may choose "Mobile apps and desktop clients".

For "Access Controls", you may block accesses under "Grant".

And then click "On" to enable this policy and click "Create". Then the user cannot download online files to local or print or sync files.

StephanG 826 Reputation points

2024-12-06T09:08:06.89+00:00

We will try that. Is there any possibility to ask the authors of this document - how they thought it could be achieved?

Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-06T09:19:24.9833333+00:00

Hi @StephanG

I want to help you, but Q&A has no resources to contact them. Sorry ~

Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-12T01:35:05.5+00:00

Hi @StephanG

Sorry to bother you, just want to check the progress of your issue.

Besides, I find an article: Limited Access with Conditional Access for Unmanaged Devices, you may have a look.

StephanG 826 Reputation points

2024-12-12T07:24:01.3633333+00:00

Thanks for the link. But that prohibts users to use Teams App or Office Apps to access content. We only want to disallow the sync - like described in the article. Therefore the suggested CA policy will also not work. But we will try it out anyway - so we can proceed
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
StephanG 826 Reputation points

2024-12-12T07:26:36.99+00:00

This will prohibit the usage of all Apps not only the Sync. We just want to achieve what is described in the article.
We will try out the suggested CA policy - but it think it will also block the access for every app - not only the sync.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
StephanG 826 Reputation points

2024-12-12T09:17:14.5166667+00:00

I created the CA - and it happend what had to happen ;) Opening Teams as a Guest User in our tenant
Please sign in to rate this answer.
Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-12T09:21:53.4066667+00:00

Hi @StephanG

Thanks for your back and letting me know the progress.

If my previous suggestion about CA policy on ""Target Resources" and "Conditions" on Client Apps do not meet your requirement, I suggest you check whether DLP (Data loss prevention) setting is helpful to you.

The reference I find: https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings?tabs=purview#auto-quarantine

As DLP settings are related to "Microsoft Purview", if you have further issues on it, I suggest you post a new thread in Q&A forum with "Microsoft Purview" tag.

Thanks for your understanding.

StephanG 826 Reputation points

2024-12-12T09:24:49.29+00:00

Thanks for your quick response. I just do not get how there can be an article out there - that has no real solution. If someone would say - it is just not possible, and the article gets deleted then this is also an answer.

Jiajing Hua-MFST 12,240 Reputation points Microsoft Vendor

2024-12-18T10:08:45.3033333+00:00

Hi @StephanG

If the "Target Resources" (CA policy) settings or syncing settings apply to SharePoint sites, it also applies to OneDrive.

But because opening files in Microsoft Teams needs to access to resources in SharePoint Online or OneDrive. So, when opening shared files in Microsoft Teams, users also subject to the SharePoint CA policy.

The reference: What are service dependencies in Microsoft Entra Conditional Access?.

Besides, based on my tests, users cannot open files via sharing link in emails.

When the "Browser" is not ticked for "Clients apps" in Conditions of CA policy, users can choose open shared files via browser in Teams.

Therefore, "--- or devices that meet compliance as defined by the Mobile Device Management system (like Intune)" can be achieved, but there are cloud apps with dependencies to other cloud apps, if you block syncing on non-compliant equipment, users may not open files in Teams or Outlook.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

OneDrive - Allow sync only from compliant devices

3 answers

Your answer