Share via

Blocking OneDrive Sync on Personal Devices Without Affecting M365 Apps – Need Alternative to Conditional Access

Idrissa Kirakoya - Admin 0 Reputation points
2025-05-27T19:20:00.94+00:00

In one of our environments, we have a mix of Hybrid Azure AD joined devices and fully managed Intune devices.

Our goal is to block OneDrive sync on personal (non-managed) devices, while still allowing sync on organization-managed devices (Hybrid join or Entra joined). At the same time, all users should retain access to OneDrive via the web, regardless of the device they are using.

What we’ve done so far:

We created a Conditional Access policy that blocks access to OneDrive for devices that are not marked as compliant in Intune.

However, under "Cloud apps or actions", we could not find a specific entry for OneDrive.

The only available option was Office 365 SharePoint Online (App ID: 00000003-0000-0ff1-ce00-000000000000), which covers both SharePoint and OneDrive.

The problem:

With the Conditional Access policy in place, OneDrive sync is successfully blocked on personal/non-compliant devices — which is exactly what we want.

However, the same policy ends up blocking access to other Microsoft 365 applications like Teams, Outlook, Exchange, OneNote, etc., even for users on compliant devices.

We also noticed that OneDrive does not appear as a separate Enterprise Application in Azure/Entra ID, making it impossible to target it independently.

What we need:

A solution that blocks only OneDrive sync on non-managed devices

Microsoft 365 apps (Teams, Outlook, etc.) must continue to work for all users

Access to OneDrive via browser must remain available for everyone

Sync should be allowed only on Entra Joined or Hybrid Joined devices, which we are tracking using dynamic groups in Entra ID

Summary:

Conditional Access looked like a viable option, but due to the lack of a dedicated OneDrive app target, it's impacting too many other services. If there's no way to isolate OneDrive sync using Conditional Access, we're looking for an alternative method, possibly using Intune device configuration, registry policies, or other supported techniques.

Any suggestions or official guidance would be greatly appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2025-05-28T07:32:36.5866667+00:00

    If you plan to address this via CA policies, you will need to edit the settings on each SPO site you want to be accessible, as by default everything is block. This article gives you the relevant details: https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

    An alternative approach is to consider blocking sync for non-domain joined devices, via the Set-SPOTenantSyncClientRestriction cmdlet: https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction?view=sharepoint-ps

    This approach only affects the OneDrive sync functionality and nothing else, but as the setting name suggests, only affects domain-joined machines. To account for Entra joined ones, you have to implement a workaround, namely populating the AADJMachineDomainGuid reg key on the device with the value of your tenantID. Refer tot his forum thread for more details on this workaround: https://techcommunity.microsoft.com/discussions/sharepoint_general/onedrive-sync-for-azure-ad-joined-computers/3261055/replies/3629963

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.