As you may know, you can synchronize your content store in SharePoint or SharePoint Online to your local client to keep it available while offline (thanks to the OneDrive for Business client).

With SharePoint Online, you can now restrict this feature to only domain joined client; this will help you to ensure sensitive data is not stored on non managed client.

To do so:

Get the Active Directory Domain GUID

  • First you need to gather the domain GUID for which you want to allow the synchronization feature
    • This GUID is the one for your Active Directory domain(s)
    • If you know you have multiple AD domain, you must first run the following PowerShell command to get all domains (Get-ADForest).Domains
    • Then you have to run the following command to get the GUID for each domain $domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -Identity $d | Select ObjectGuid}

image

Restrict synchronization for selected domain

  • Once you have the AD GUID, you can then restrict synchronization from SharePoint Online to only this/these domain(s) – off course if you have multiple domains you can also define some of them only
  • To set the restriction you must have SharePoint Online Management Shell – available from https://www.microsoft.com/en-us/download/details.aspx?id=35588 – and execute the following command Set-SPOTenantSyncClientRestriction
    • Connect to your SharePoint Online tenant with

      $cred = Get-Credential (save your SharePoint Online Admin credential in the $cred variable)

      Connect-SPOService -Url https://<your Office 365 tenant name>-admin.sharepoint.com -credential $cred (connect to your SharePoint Online tenant with your saved credentials)

    • Set-SPOTenantSyncClient -Enable -DomainGuids "<replace with your AD GUID – multiple GUID must be separate by a comma>"

image

Check the existing restriction

If you are not sure if there is any client synch restriction, or need to check which domain(s) is allowed (you will only get the GUID), you need to run the following command

Get-SPOTenantSyncClientRestriction

image

Remove the restriction

To remove the overall restriction, run the following command and the TenantRestrictionEnabled must then be set to FALSE

Remove-SPOTenantSyncClientRestriction

image

Good to Know

Additional things to know:

  • It may take up to 24 hours to be applied
  • All synchronization request from a client which is not member of the domain list (GUID) will be blocked
  • All synchronization request from Mac will be blocked – this is obvious as a Mac is not domain joined but it is always good to recall this point
  • Mobile device synchronization is not blocked – if you want to restrict mobile device to sync, you need to use Office 365 MDM or Intune
  • If you already have a synchronization in place from a device which is not domain joined, this will be maintained BUT no more synchronization will occur – however if you add a new files from this client, the files will be uploaded. This means the existing synchronization will ONLY upload new/updated files
  • You need to ensure everyone is using at least the version 15.0.4693.1000 of OneDrive for Business – any version prior to this one will be stop working