Company logoHelp Center
Visit oncld.io

Ensuring Secure OneDrive Sync with SharePoint Online Tenant Sync Client Restriction

2 min. readlast update: 09.26.2024

In today's cloud-driven workplace, ensuring secure and compliant access to corporate data is crucial. This article explores the importance of managing OneDrive sync settings within SharePoint Online, particularly through the Tenant Sync Client Restriction feature. 

We'll dive into a practical PowerShell script that helps administrators connect to SharePoint Online and verify whether OneDrive is restricted to sync only on domain-joined computers. This script provides insights into the current configuration, ensuring that your organization's data is protected by limiting synchronization to trusted devices.

Key points covered include:
- Connecting to SharePoint Online: How to establish a secure connection to your SharePoint Online environment using PowerShell.
- Tenant Sync Client Restriction Settings: An explanation of the Tenant Sync Client Restriction feature and its role in enhancing security by restricting OneDrive sync to specific domain-joined devices.
- Checking Configuration via PowerShell: A step-by-step guide on using the script to retrieve and evaluate the current sync settings, including whether syncing is allowed only on domain-joined devices and identifying the permitted domains.
- Interpreting Results and Next Steps: How to understand the output of the script and take appropriate actions based on the findings, ensuring your organization maintains a secure cloud environment.

Here is the script:

# Connect to SharePoint Online
$adminUrl = "https://xxx-admin.sharepoint.com"
Connect-SPOService -Url $adminUrl

# Function to check OneDrive sync settings
function Check-OneDriveSyncSettings {
# Get the tenant sync client restriction settings
$syncSettings = Get-SPOTenantSyncClientRestriction

# Check if "Allow syncing only on computers joined to specific domains" is enabled
$allowDomainJoin = $syncSettings.BlockMacSync
$allowedDomains = $syncSettings.BlockMacSyncOnPremisOnly

if ($allowDomainJoin) {
Write-Output "Allow syncing only on computers joined to specific domains is enabled."
Write-Output "Allowed domains: $allowedDomains"
} else {
Write-Output "Allow syncing only on computers joined to specific domains is not enabled."
}
}

# Check the OneDrive sync settings
Check-OneDriveSyncSettings


Was this article helpful?