Revise your OneDrive (Sync) restrictions when shifting to a Modern Workplace!

OneDrive client is unable to sync your folders.

What is a modern workplace these days without having your personal- or group data synced to OneDrive and taking the full advantage Microsoft’s cloud storage has to offer!? One of the most asked feature is silently configuring your OneDrive client to automatically synchronize your (personal) data.

Silent configuration

Over time the silent configuration of OneDrive for Business has been improved. In the early days we were designated using semi-automatic methods using registry keys and scripts by Per Larsen, old school group policies, or by custom OMA-URI policies to do the magic. Nowadays OneDrive can easily be configured using Administrative Templates (31 settings) via Microsoft Intune. (almost the same as GPO but wrapped in a modern UI called Microsoft Intune ūüėČ)

SETTING NAME 
Prevent users from redirecting their Windows known folders to their PC 
Silently move Windows known folders to OneDrive 
Silently sign in users to the OneDrive sync client with their Windows cred.. 
STATE 
Enabled 
Enabled 
Enabled 
Device 
Device 
Device 
\OneDrive 
\OneDrive 
\OneDrive
OneDrive for Business client configuration using Microsoft Intune Administrative Templates.

Modern Workplace

Last week I was preparing a modern workplace demo fully automated and managed by cloud. This puts Windows Autopilot on the menu including automatic enrollment & management, encryption, policies, software deployment and…silently configuration of OneDrive for Business client.

Challenge

But what if silent configuration isn’t working as expected? This might become challenging where traditional and modern workplace comes together, you can end up in a situation where they do not fit. This will be the case when you’re preventing managed computers to sync OneDrive which are joined to a specific (Active Directory) domain(s).

It’s a no-brainer to opt-in for automatically (silently) configure the OneDrive for Business client. But in this case the OneDrive for Business client configuration was far from silent if you asked me! We ran into a challenge where OneDrive for Business client won’t be configured silently. Even when we tried to configure OneDrive sync manually, we didn’t succeed and ran into the following error “Sorry, OneDrive can’t add your folder right now“. So I reached out and contacted support ūüėČ

OneDrive is restricted from syncing to only specified AD domains only.

Root cause

After some research I came across a blog of Chen Tian Ge who used Fiddler to take down a similar scenario. So after installed Fiddler myself, it was clear to me what caused the problem. I had found the undisputed proof. The reason for the failure is the fact the customer had implemented OneDrive sync client restrictions by using (AD) domain GUID. The modern workplace of course, did not meet the domain GUIDs requirement because it belongs to an Azure AD domain instead of AD joined domain.

Reproducing the root cause using sync restrictions based on (AD) domain GUID’s.

Restrict OneDrive syncing to specific domains

This feature works fine for computers which are joined to an Active Directory (AD) domain, but causes challenges when shifting to a modern workplace joined to Azure Active Directory (Azure AD).

OneDrive 
Home 
Sharing 
Sync 
Storage 
Device access 
Compliance 
Notifications 
Data migration 
Sync 
Use these settings to control syncing of files in OneDrive and SharePoint. 
Download the sync client 
Fix sync problems 
Show the Sync button on the OneDrive website 
Allow syncing only on PCs joined to specific domains 
Enter each domain as a GUID on a new line. 
cd004ec9-8i7d-3rc6-8wd7-d3vintfe50si1e 
-B2df-cd3a2e 134a09 
Block sync on Mac OS 
Block syncing of specific file types
Restrict OneDrive from syncing to specific (AD) domains.

Conditional Access

The underlying reason for implementing these controls is to make sure companies remain control of where your corporate data is going through. Lastly, preventing from ending up at unmanaged or non-compliant devices. Allow syncing only on computers joined to specific domains works for AD joined devices but doesn’t fit for a (native) modern workplace which is Azure AD Joined.

New 
e Info 
Name 
Assignments 
Users and groups C) 
All users 
Cloud apps or actions O 
1 app included 
Conditions 
4 conditions selected 
Access controls 
Grant O 
3 controls selected 
Session i 
O controls selected 
Enable policy 
X 
Cloud apps or actions 
Select what this policy applies to 
x 
Cloud apps 
Include 
O None 
Exclude 
> 
O All cloud apps 
@ Select apps 
Select 
Office 365 SharePoint Online 
Office 365 SharePoint On... . 
Selecting SharePoint Online will also 
affect apps such as Microsoft Teams, 
Planner, Delve, MyAnalytics, and 
Newsfeed _
Azure AD Conditional Access provides tailored controls to address your corporate needs.

Azure AD Conditional Access control capabilities in Azure AD offer simple ways for you to secure resources in the cloud. The OneDrive for Business client works with the Conditional Access control policies to ensure syncing is only done with managed and/or compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by Microsoft Intune.

Alongside Conditional Access, Microsoft Cloud App Security (MCAS) can be used to implement complementary data leak prevention (DLP) policies to make sure you stay in control no matter where your corporate data goes. 

Get out of the old, get in with the new

Shifting from a traditional to a modern workplace isn’t just a matter of migrating the current, but a real transformation. Controls which worked well for many years in a traditional environment are often outdated by modern solution(s) that often work better and meet the revised needs/standards according a modern workplace.

Happy & safe syncing!

Sources

Available now: Enterprise Mobility + Security E5 IUR for Microsoft Partners

Today I was happily surprised with the announcement, as of today Microsoft Enterprise Mobility + Security E5 licenses are available through Internal Use Rights (IUR). This is great news for those who’re a Silver or Gold EMM competency partner. By this Microsoft Partners are enabled to adopt the latest security features in their own organization too. “Practice what you preach”

Enterprise Mobility + Security E5 IUR

One of the main benefits of the Microsoft Partner program are the IUR, which allows you to use Microsoft products in your own organization for free based on your partner competence levels. This applies to traditional software, software keys and Microsoft Online Services.

With IUR Microsoft Partners are able increase productivity, business value, and savings with your internal-use rights (IUR) benefits. The Enterprise Mobility + Security E3 had been available for some quite long time however the E5 was missing here, the more we’ve an imported role as partner to enable our customers with the latest Microsoft technology.

More information regarding Internal Use Rights can be found here.

New features like Azure AD Identity Protection & Azure AD Privileged Identity Management forms important (security) components in a more than ever emerging Enterprise Mobility + Security E5 proposition.

Click here to unlock your IUR benefits today!

ps. special thanks for those who make this possible ;-)

One license solution rule them all: Azure AD Group Based Licensing!

A long awaited feature became this week available in the new Azure portal: Azure AD Group Based licensing. With this we have an one-stop-shop to assign licenses on a per user- or group based. azure-ad-group-based-licensing-1

Azure AD Group Based licensing was already available in¬†the classic Azure portal,¬† however it was limited to¬† Azure AD Premium, Azure Rights Management, Microsoft Intune and Enterprise Mobility + Security licenses. ¬†For other licenses like Office 365 we were designated to the Office 365 Admin portal or¬†custom (automated)¬†solutions such as PowerShell or Graph API. Continue reading “One license solution rule them all: Azure AD Group Based Licensing!”

Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access

Recently Microsoft announced Microsoft Teams, a new chat-based platform in Office 365. For all mobile platforms (Android, iOS and Windows 10 Mobile) Microsoft released an native app, including a desktop app for Windows 10 and Mac OS X. The Microsoft Teams apps can be downloaded here. After I installed the Microsoft Teams desktop app on Windows 10 I bumped into the following funny message ‘Yikes! Looks like someone pulled the plug on the internet’.

clip_image001

Continue reading “Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access”

Windows Information Protection‚Ķnotes from the field! #MSIgnite

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps organizations to protect corporate data against potential data leakage.

information-protection-needsThe concept is fairly simple and is actually based on defining two lists:

  • A corporate boundary list, which represents both on-premise & cloud network locations where managed apps can access corporate data;
  • A list of managed (trusted) apps, which are allowed to open, modify & store corporate data within the corporate boundary list.

In this blog we will look at some practical examples which you have to consider for a successful implementation of Windows Information Protection including a top 4 of recommended practices.

Continue reading “Windows Information Protection‚Ķnotes from the field! #MSIgnite”

The Enterprise Mobility Suite Portal Survival Guide

survival-guide I’m more than happy being your tour guide for today and walkthrough the various portals that the Microsoft Enterprise Mobility Suite (EMS) houses. For those who are involved with EMS, this might be a handy overview of all current available portals. I often heard  that it is not always clear which portal you need and where you can find it. In this blog I’ll do my best to cover all the portals including their purpose.

Continue reading “The Enterprise Mobility Suite Portal Survival Guide”

How Azure AD Premium & Office 365 improves Collaboration

So you’ve always wondered what it takes to improve both collaboration and business processes in your organization, which results in employees being more productive? Do I’ve your attention…read on!

With Microsoft Azure and Office 365, Microsoft offers you a (cloud) platform with a huge potential to optimize and boost your business. In this blog I’ll illustrate this with a simple example of how you can use these cloud services to improve collaboration within your organization.

Coming together is a beginning; keeping together is a progress; working together is a success.

Continue reading “How Azure AD Premium & Office 365 improves Collaboration”