I'm struggling as a sysadmin trying to find a way to block a group of users from accessing their personal OneDrive accounts while still allowing access to shared SharePoint sites, like our Intranet. The problem is that every resource I find seems out of date or refers to a different UI than what I see in my Azure tenant. These users all have E3 licenses. In the SharePoint admin center, it feels like I don't have any control options for OneDrive. I tried managing permissions through the user profiles section, but I keep getting permission errors. Do I need to upgrade to a SharePoint advanced management license just to gain control over this?
I removed the SharePoint Online license from the users, but they still seem to have access to OneDrive through their browsers. I also attempted a conditional access policy, but that ended up blocking access to shared sites as well. I've got an on-prem group policy that limits OneDrive access from File Explorer, but users can still save to OneDrive directly through Office apps. Any tips or solutions to tackle this would be greatly appreciated!
3 Answers
If you're looking to completely block access to personal OneDrive accounts, the most foolproof method might be blocking it at the network level. The URL for accessing personal OneDrive is onedrive.live.com, so you could consider blocking that to prevent all types of access, both via browsers and clients.
Another approach is to block the specific URLs associated with personal OneDrive accounts at the device level. Just a heads up, M365 is not the same thing as Azure—so double-check you're using the right tools and settings for what you need!
You might want to look into Intune as a solution. You can set a configuration policy to prevent users from syncing their personal OneDrive accounts. This can help with stopping the sync on their devices. Alternatively, you can set a registry key under HKCUsoftwarepoliciesMicrosoftOneDrive, if you're managing those systems directly.
But keep in mind that blocking syncing isn't the whole solution since they can still access OneDrive via the web, which is what you're trying to prevent.