Cloud Sync

Question

Hi All,

I’m currently performing a cleanup and security review of Enterprise Applications (service principals) in our Microsoft Entra ID tenant. During this process, I came across an application named Cloud Sync, with a URL/identifier referencing onedrivedev.

The service principal has permissions such as Files.ReadWrite.All and offline_access, which are relatively broad and can raise concerns during security audits.

I would like to better understand the legitimacy and purpose of this application. Specifically:

Is the Cloud Sync / onedrivedev service principal a Microsoft first-party application related to OneDrive or Microsoft cloud sync functionality?

Are the assigned permissions (file read/write and offline access) expected and required for its normal operation?

Is there any official Microsoft documentation or guidance that explains this service principal and its role?

Are there supported scenarios where this application can be disabled or restricted without impacting OneDrive or user productivity?

This review is part of a security hardening and audit exercise, and I want to ensure we follow Microsoft-supported best practices before making any changes.

Thanks in advance for any clarification or references.

Answer 1

Hello Waverly Chua,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I will try to clarify your doubts regarding this issue one by one.

1.As you asked "Is the Cloud Sync / onedrivedev service principal a Microsoft first-party application related to OneDrive or Microsoft cloud sync functionality?"

Yes. The Cloud Sync / onedrivedev service principal is a Microsoft first‑party application created automatically when you enable Microsoft Entra Cloud Sync. It is not a custom or external app; it is a required Microsoft‑owned service principal used for directory synchronization.

This means:

• The application is expected, safe, and required
• It is not related to user-installed apps
• It should not be removed or restricted, otherwise Cloud Sync breaks

Reference: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-troubleshoot

2.Is there any official Microsoft documentation or guidance that explains this service principal and its role?

Yes, Microsoft provides official documentation that explains that OneDrive uses Azure AD app registrations and service principals, and that Microsoft first‑party apps appear in your tenant as service principals which define their permissions and access. See Microsoft Learn for service principals in Entra ID, OneDrive’s Azure AD sign‑in and OAuth model, and the first‑party app service principal reference table.

Some Reference: https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth?view=odsp-graph-online

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-service-principal-table

https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?WT.mc_id=blog-itopstalk-salean&tabs=browser

3.Are there supported scenarios where this application can be disabled or restricted without impacting OneDrive or user productivity?

There are no Microsoft‑supported scenarios where the Cloud Sync / onedrivedev service principal can be disabled, restricted, or permission‑reduced without breaking Cloud Sync.

Disabling or restricting this service principal results in:

• Cloud Sync failure
• Directory provisioning breaks
• Password writeback fails
• Authorization errors
• Microsoft auto-recreates the service principal, showing it is required infrastructure

This identity is not meant to be governed like a user‑installed app; it is part of Microsoft’s core identity synchronization architecture.

Reference: https://learn.microsoft.com/en-us/sharepoint/use-group-policy

https://learn.microsoft.com/en-us/entra/architecture/service-accounts-principalhttps://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps

4.Are there supported scenarios where this application can be disabled or restricted without impacting OneDrive or user productivity?

Unfortunately, no, Microsoft does not document supported scenarios where the core OneDrive Cloud Sync / onedrivedev app is disabled without impact. Hardening should be done through OneDrive/SharePoint policies and Entra Conditional Access (for example, blocking personal OneDrive, restricting which tenants can sync, or requiring managed devices), not by disabling this Microsoft first‑party application.

Reference: https://learn.microsoft.com/en-us/sharepoint/authentication-context-example

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/disable-user-sign-in-portal?pivots=portal

https://learn.microsoft.com/en-us/sharepoint/use-group-policy

Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well.

If you need more info, feel free to ask in the comments. Happy to help!

Regards,

Monalisha

Answer 2

It smells fishy to me. Check the AppId corresponding to said service principal against the list of known first-party SPs: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in

Also check the publisher tenant's ID (appOwnerOrganizationId).