There are some really great updates to OneDrive for Business from an IT Administrators/Managers point of view in the Office 365 stack recently;

One of main ones is that you can now restrict Onedrive sync to domain joined only machines. This is a great update because it can stop users from being able to sync files to a home PC for example, where in most organisations this will be against their IT Security policies. This is more likely to promote OneDrive for Business to be used in line with organisational security policies.

The way that this works is that you associate your local domain’s GUID with a SharePoint Online option known as ‘SpoTenantSyncClientRestriction’ when that option is enabled. Therefore, any machine where the OneDrive for Business client installed will need to identify itself by the domain GUID, which it is a member of. If that machine isn’t a member of that matching domain, then when the end user attempts to synchronise their OneDrive for Business Library with the desktop app, then they will be request to synchronise will be denied.

So if you want to set this, there is a simple SharePoint Online PowerShell CMDLET to run. You’ll need to know your local domain’s GUID and also have SharePoint Online CMDLETS installed.

To find out your domain’s GUID:

The below command should be executed on your domain’s corresponding Domain Controller in a standard Windows PowerShell session (you do not require SharePoint Online CMDLETS to be installed on the local host for this).

$domain = (Get-ADForest).Domains; foreach($d in $domain) {Get-ADDomain –Identity $d | Select ObjectGuid}

To enable sync restriction to your domain only:

Set-SpoTenantSyncClientRestriction –enable –DomainGuids “<your domain GUID>”

Once this command has been executed, it should return confirmation that the ‘TenantRestrictionEnabled’ is true.

Once sync restriction is enabled, if an end user attempts to synchronise their with the OneDrive for Business Library on a non-domain joined machine, they receive the error “We couldn’t sync this library. This library isn’t available offline”.

One of the other main updates is that you now have the ability to disable the ‘everyone’ groups within the OneDrive for Business/SharePoint people picker as well as disabling the creation of the ‘Shared with everyone’ folder in Onedrive. Again, this will help administrators to restrict accidental disclosure of data of a wide audience.

This can be achieved by running the following command, again within SharePoint Online CMDLETS:

Set-SPOTenant –ShowEveryoneclaim $false

Please note that this will disable the everyone group within the entire SharePoint Online stack, as well as OneDrive for Business Libraries.

Since the recent release of updates to OneDrive for Business, the ‘Shared with Everyone’ folder is no longer automatically created for new users/tenants. But of course, this can be re-enabled if the administrator wishes.

You can download the SharePoint Online CMDLETS for PowerShell from:

Back to blog