OneDrive client is unable to sync your folders.

What is a modern workplace these days without having your personal- or group data synced to OneDrive and taking the full advantage Microsoft’s cloud storage has to offer!? One of the most asked feature is silently configuring your OneDrive client to automatically synchronize your (personal) data.

Silent configuration

Over time the silent configuration of OneDrive for Business has been improved. In the early days we were designated using semi-automatic methods using registry keys and scripts by Per Larsen, old school group policies, or by custom OMA-URI policies to do the magic. Nowadays OneDrive can easily be configured using Administrative Templates (31 settings) via Microsoft Intune. (almost the same as GPO but wrapped in a modern UI called Microsoft Intune 😉)

SETTING NAME Prevent users from redirecting their Windows known folders to their PC Silently move Windows known folders to OneDrive Silently sign in users to the OneDrive sync client with their Windows cred.. STATE Enabled Enabled Enabled Device Device Device OneDrive OneDrive OneDrive OneDrive for Business client configuration using Microsoft Intune Administrative Templates.

Modern Workplace

Last week I was preparing a modern workplace demo fully automated and managed by cloud. This puts Windows Autopilot on the menu including automatic enrollment & management, encryption, policies, software deployment and…silently configuration of OneDrive for Business client.

Challenge

But what if silent configuration isn’t working as expected? This might become challenging where traditional and modern workplace comes together, you can end up in a situation where they do not fit. This will be the case when you’re preventing managed computers to sync OneDrive which are joined to a specific (Active Directory) domain(s).

It’s a no-brainer to opt-in for automatically (silently) configure the OneDrive for Business client. But in this case the OneDrive for Business client configuration was far from silent if you asked me! We ran into a challenge where OneDrive for Business client won’t be configured silently. Even when we tried to configure OneDrive sync manually, we didn’t succeed and ran into the following error “Sorry, OneDrive can’t add your folder right now“. So I reached out and contacted support 😉

OneDrive is restricted from syncing to only specified AD domains only.

Root cause

After some research I came across a blog of Chen Tian Ge who used Fiddler to take down a similar scenario. So after installed Fiddler myself, it was clear to me what caused the problem. I had found the undisputed proof. The reason for the failure is the fact the customer had implemented OneDrive sync client restrictions by using (AD) domain GUID. The modern workplace of course, did not meet the domain GUIDs requirement because it belongs to an Azure AD domain instead of AD joined domain.

Reproducing the root cause using sync restrictions based on (AD) domain GUID’s.

Restrict OneDrive syncing to specific domains

This feature works fine for computers which are joined to an Active Directory (AD) domain, but causes challenges when shifting to a modern workplace joined to Azure Active Directory (Azure AD).

OneDrive Home Sharing Sync Storage Device access Compliance Notifications Data migration Sync Use these settings to control syncing of files in OneDrive and SharePoint. Download the sync client Fix sync problems Show the Sync button on the OneDrive website Allow syncing only on PCs joined to specific domains Enter each domain as a GUID on a new line. cd004ec9-8i7d-3rc6-8wd7-d3vintfe50si1e -B2df-cd3a2e 134a09 Block sync on Mac OS Block syncing of specific file types Restrict OneDrive from syncing to specific (AD) domains.

Conditional Access

The underlying reason for implementing these controls is to make sure companies remain control of where your corporate data is going through. Lastly, preventing from ending up at unmanaged or non-compliant devices. Allow syncing only on computers joined to specific domains works for AD joined devices but doesn’t fit for a (native) modern workplace which is Azure AD Joined.

New e Info Name Assignments Users and groups C) All users Cloud apps or actions O 1 app included Conditions 4 conditions selected Access controls Grant O 3 controls selected Session i O controls selected Enable policy X Cloud apps or actions Select what this policy applies to x Cloud apps Include O None Exclude > O All cloud apps @ Select apps Select Office 365 SharePoint Online Office 365 SharePoint On... . Selecting SharePoint Online will also affect apps such as Microsoft Teams, Planner, Delve, MyAnalytics, and Newsfeed _ Azure AD Conditional Access provides tailored controls to address your corporate needs.

Azure AD Conditional Access control capabilities in Azure AD offer simple ways for you to secure resources in the cloud. The OneDrive for Business client works with the Conditional Access control policies to ensure syncing is only done with managed and/or compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by Microsoft Intune.

Alongside Conditional Access, Microsoft Cloud App Security (MCAS) can be used to implement complementary data leak prevention (DLP) policies to make sure you stay in control no matter where your corporate data goes.

Get out of the old, get in with the new

Shifting from a traditional to a modern workplace isn’t just a matter of migrating the current, but a real transformation. Controls which worked well for many years in a traditional environment are often outdated by modern solution(s) that often work better and meet the revised needs/standards according a modern workplace.

Previous articleBi-weekly Azure Summary – Part 66
Next articlePower App Mutli Screen Form Controls
avatar
Ronny works as principal consultant for InSpark, the #1 Dutch Microsoft Partner specialized in Datacenter & Apps, Modern Workplace, Data/AI, Security & Managed Services. As principal consultant Ronny is member of the Technology Board, which is responsible for technology innovation, strategy & vision of InSpark. Ronny’s primary focus is on Microsoft 365 (Identity-, Modern Workplace-, Security & Threat protection. He‘s responsible for a great team of highly skilled consultant’s helping customers to accelerate by innovation. In his role as Microsoft Valuable Professional (MVP) he’s working closely with various Microsoft product groups to provide (customer) feedback, product improvements & most important, his contribution to the community by sharing knowledge & experience. His presence at various international (community) events like Tech Summit, Expertslive Europe, TechDays & various user group meetings are dedicated by meeting people & again sharing knowledge.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.