Tuesday, December 7, 2021

OneDrive client sign-in issues due to Conditional Access policies in Azure AD tenant where you are a guest user

Must read

Kenneth van Surksumhttps://www.vansurksum.com/
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Today I experienced an interesting issue, for which I thought it was interesting sharing how I figured out what was going on.

The issue/challenge

The issue I encountered was related to the fact that I couldn’t sign-in into the OneDrive client anymore. When you are not able to sign-in, you cannot open documents which are cloud hosted for example, and of course changes in files are not synchronized.

Onedrive Sync Client cannot sign-in

So in order to troubleshoot the issue, I started digging into the Azure AD sign-in logs, where I found the following interesting entry.

Azure AD sign-in logging

The first thing I noticed is that the User Type property was set to Guest, while normally it states “Member”. It kept me wondering why my account was a Guest user and then it all became clear.

For a project which I was working on at another customer, the customer asked me for my IP address so that they could allow that IP address to access the Teams environment being created. I have setup a sync of one of the SharePoint folder within my OneDrive client. Everything was working fine until I went to the office and got another IP address which broke the ability of the OneDrive client to sign in.

So, what was going on?

The client defined a Conditional Access policy, which either requires a compliant device or a trusted location before access to SharePoint Online is granted. This caused my own OneDrive syn client to not be able to login and therefore was not usable until my customer changed something in their Conditional Access policy, or until I remove the sync the the SharePoint Online library hosted in the tenant of my customer, but I can only do that when I’m back in the home office where my IP is whitelisted.

Lessons learned

When creating a Conditional Access policy, this can have an unexpected impact even on Guest users. And in my opinion using IP addresses to exclude in a Conditional Access policy is asking for issues sooner or later. Go for Zero trust always.

More articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest articles