Alexander's Blog

Allow Syncing Only on PCs Joined to Specific Domains in Office 365

By
- On April 14, 2018
Microsoft Office 365 has a nice security feature as a syncing option in Office 365 OneDrive admin center called "Allow Syncing Only on PCs Joined to Specific Domains." This feature can be configured by the Office 365 Global Administrator. You will find this option listed in OneDrive admin center under the Sync category. It restricts the syncing of OneDrive content to only domain-joined PCs to enhance security. Here's how you can configure this feature.
  1. Logon to Office 365 as a Global Administrator at https://portal.office.com.
  2. Go to the Admin centers and then click OneDrive.
  3. From the Home screen in OneDrive admin center click Sync.
  4. You will see the following three options: a) Show the Sync button on the OneDrive website b) Allow syncing only on PCs joined to specific domains c) Block syncing of specific file types
  5. The first option is selected by default. Select the second option Allow syncing only on PCs joined to specific domains. This option can restrict syncing of OneDrive data only to computers that have joined your domain.
  6. Click Edit domains and specify which domains should be allowed syncing of content. Clients who have joined any domains that are not listed here will be prevented from syncing OneDrive data. This seems pretty straight forward, but there is something you should know about this feature. When you click Edit domains, you will see the following box. This step can be tricky if you don't know what you need to do here. Because you are working in Office 365, obviously you are going to enter the domain Globally Unique Identifier (GUID) for your Office 365 domain. Right? Not exactly! You are supposed to enter the domain GUID for your on-premises Active Directory domain here. I know it's confusing because there is nothing in the instructions you will find that gives you the impression that this feature only works with on-premises Active Directory. NOTE: A GUID is a 128-bit number used to uniquely identify each object in Active Directory. Unlike a Security Identifier (SID), which can potentially change , a GUID never changes and is unique not just across the enterprise, but according to Microsoft it's unique across the world.
  7. Run the Get-ADDomain on your Domain Controller or a member server to get the domain GUID. Look for the ObjectGUID entry in the results. You can also run Get-ADDomain on your domain-joined workstation if you have the Active Directory PowerShell Module installed, but it's much easier to get the domain GUID from your server.
  8. You can add the GUID for additional Active Directory on-premises domains, if necessary. Just remember to press the Enter key after each entry. Once you add the GUID and close the Edit domains box, you will see your domain GUID(s) added.
  9. Click Save to keep your changes.
  10. It can take at least an hour before the configuration takes effect and the feature will work.
It's unfortunate that this feature only works with on-premises Active Directory. There are many small businesses around the world that don't have an on-premises Active Directory domain and would therefore be unable to take advantage of this feature. It would be nice if Microsoft adds the words on-premises or local domain somewhere in the Edit box. For example, updating the instructions and adding the words in bold would be helpful in avoiding confusion:
This feature works with on-premises Active Directory domains. Enter each on-premises domain as a GUID on a new line. Use the PowerShell command Get-ADDomain on your domain server to get the domain GUID.
This Microsoft article contains a link on how to find the domain GUID, but the information applies to a local on-premises Active Directory. Organizations that don't have on-premises Active Directory have difficulty figuring out how to use this article and find their domain GUID. I have provided my feedback to Microsoft. Hopefully, Microsoft will allow us to use this feature with domains in Office 365 in the future, or at least make it clear in the instructions that this OneDrive feature is limited to on-premises domains.
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.
Prev Post
Leave a Comment