SharePoint SPSE & Onedrive Sync for multiple webapps

Question

Hello,

We are planning to move from NTLM to OIDC using Entra ID for SPSE, but I am encountering an issue with synchronization for multiple web applications.

I attempted to configure a single app registration with two URLs, as well as create two separate app registrations for the two web applications. However, I am stuck because when I click on OneDrive sync, it keeps loading indefinitely. The sync works well for the My Sites, but it does not function for the other site in other webapp.

I have configured Front Door with the My Sites URL and enabled OIDC in the registry editor. Additionally, I added My Sites and Team Sites, along with wildcards, in the manifest of the app registration.

Could you pls help me?

Thanks

Answer 1

Hi @Quan PHAM HONG

Please note that we're not Microsoft Support; this is a user-to-user community forum. Moderators here don't have access to your environment or Microsoft's backend systems, so we can only provide guidance based on public documentation and community experience.

Since you've already tested both a shared app registration and separate app registrations, the next step is to verify the OneDrive client-side OIDC configuration. The sync client relies on both the SharePoint-side OIDC configuration and client-side settings used during authentication.

I would suggest checking the following:

• Verify the configured SharePointOnPremFrontDoorUrl value and ensure authentication requests for both My Sites and the second web application are handled correctly.
• Confirm the SharePointOnPremApplicationIdUri value configured on the client and how it relates to the Application ID URI(s) used by your OIDC configuration.
• If you're using separate Entra ID app registrations, verify that any required SharePoint-side configuration (such as ScopedClientIdentifier mappings, if supported by your SPSE build) has been completed.
• Review the OneDrive client logs located at: %localappdata%\Microsoft\OneDrive\logs Look for authentication, audience validation, token acquisition, site discovery, or redirect URI-related errors.

I hope this helps.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For OneDrive sync to work reliably with SharePoint Server Subscription Edition (SPSE) and Microsoft Entra ID (OIDC), the OneDrive sync app must be correctly targeted at the on‑premises SharePoint “front door” URL, and the SharePoint web applications used for OneDrive/Team Sites must be correctly configured for OIDC and HTTPS.

Key points and checks based on the documented configuration model:

1. Confirm HTTPS and certificate on each OIDC web application

• OIDC in SPSE requires HTTPS only. If any of the web applications (My Sites or Team Sites) are still using HTTP, OIDC and therefore OneDrive sync will not complete correctly.
• For each web application that uses OIDC, assign a valid SSL certificate:
  • In SharePoint Management Shell, run something like:

        Set-SPWebApplication -Identity https://spsites.contoso.local -Zone Default -SecureSocketsLayer -Certificate "Contoso SharePoint (2021)"
    

  • Repeat for the other web application URL if it is a separate web app.
• Verify in Central Administration → System Settings → Configure Alternate Access Mappings that the HTTPS URL is correctly configured for each zone.

2. Ensure the OIDC configuration covers all relevant URLs

• The documented example uses a single SPSE farm with a single OIDC configuration and a single SharePoint site URL (for example https://spsites.contoso.local/).
• In the Entra app registration used for OIDC, the redirect URIs must match the actual HTTPS URLs that SharePoint uses for sign‑in. The guidance shows changing the redirect URI from a single URL to a wildcard:
  • In the app registration → Manifest, set:
    • redirectUris: https://spsites.contoso.local/*
    • redirectUriSettings[].uri: https://spsites.contoso.local/*
• For multiple web applications, each web app that uses OIDC must either:
  • Be covered by the same wildcard pattern if they share a common host (for example, different paths under the same host), or
  • Have its own explicit redirect URI(s) in the app registration, or its own app registration.
• If the Team Sites web app uses a different host name than My Sites, ensure that host is explicitly present or covered by a wildcard in the app registration’s redirect URIs and redirectUriSettings, and that the RegisteredIssuerName and endpoints in the SharePoint OIDC configuration match the Entra app.

3. Configure the OneDrive sync app for SPSE correctly

• For SPSE/2019, the OneDrive sync app (OneDrive.exe) must be pointed at the on‑premises SharePoint “front door” URL via Group Policy or registry.
• Using Group Policy (recommended):
  • Import the OneDrive.admx/OneDrive.adml templates into C:\Windows\PolicyDefinitions and C:\Windows\PolicyDefinitions\en-US if the OneDrive node is not visible.
  • Under Computer Configuration\Administrative Templates\OneDrive configure:
    1. Specify SharePoint Server URL and organization name
       • SharePointOnPremFrontDoorUrl = the HTTPS front door URL for SPSE (for example, the main web app host that fronts My Sites and/or Team Sites).
       • SharePointOnPremTenantName = friendly name for the root folder in File Explorer.
    2. Specify the OneDrive location in a hybrid environment
       • SharePointOnPremPrioritization determines whether the sync app prefers Microsoft 365 or on‑premises when the same identity exists in both. For pure on‑premises or when you want SPSE prioritized, set this so the sync app first connects to SPSE.
• If the front door URL is configured only for My Sites and not for the Team Sites web app host, the sync app may successfully handle My Sites but fail or hang when trying to establish sync for libraries on the other web app.

4. Validate behavior with a single identity and front door

• The documented pattern assumes a single SPSE farm and a single “front door” URL that the OneDrive sync app uses to authenticate and discover the user’s personal OneDrive (My Site) and other SharePoint libraries.
• When multiple web applications are used, ensure that:
  • They are all part of the same SPSE farm.
  • They are reachable via HTTPS and correctly configured for OIDC.
  • The front door URL used in the OneDrive GPO/registry can route/authenticate to both My Sites and Team Sites (for example, via Alternate Access Mappings and DNS), or that the additional host(s) are correctly represented in the Entra app registration and SharePoint OIDC configuration.

5. Practical troubleshooting steps for the “infinite loading” when clicking Sync

• Confirm that the Team Sites web app is using HTTPS and has a valid certificate assigned via Set-SPWebApplication.
• Confirm that the Team Sites URL is included in the Entra app registration’s redirect URIs (or covered by a wildcard) and that OIDC is enabled for that web app in SPSE.
• Confirm that the OneDrive sync app’s SharePointOnPremFrontDoorUrl points to a URL that can authenticate the user via OIDC and reach both My Sites and Team Sites.
• Test sync from a library on the Team Sites web app after these checks; if My Sites works but Team Sites does not, the gap is usually either:
  • Missing HTTPS/certificate on the Team Sites web app, or
  • Missing/mismatched redirect URI or OIDC configuration for that web app in Entra or SharePoint.

If these items are aligned (HTTPS + certificate per web app, correct OIDC/redirect URIs for all hosts, and OneDrive front door URL configured to the correct SPSE entry point), OneDrive sync should work for both My Sites and other site collections across multiple web applications in SPSE.

---

References:

• Set up OIDC authentication in SharePoint Server with Microsoft Entra ID
• Configure syncing with the new OneDrive sync app
• Troubleshoot infinite redirection between OIDC app and Entra ID