Azure Active Directory conditional access with the OneDrive sync client on Windows (preview)

Conditional access control capabilities in Azure Active Directory offers simple ways for you to secure resources in the cloud. In this preview, the new OneDrive sync client works with the conditional access control policies to ensure syncing is only done with compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune).

Important: This preview uses a test version of the new OneDrive sync client. We recommend that you restrict your rollout to a test tenant or a group of no more that fifty users.

For information about how conditional access works, see the following resources:

Getting started

This preview uses a special build of OneDrive.exe and a registry key to enable the feature. Use the following steps on each computer where you want to test this feature.

To enable conditional access support on the OneDrive sync client
  1. Download and install the preview build of the new OneDrive sync client.

  2. Download and open this .reg file to enable the conditional access feature.

  3. Restart the sync client.

If you want to disable this preview feature, you can delete the registry key by running this .reg file. You need to restart the sync client for the change to take effect.

Known issues

The following are known issues with this preview:

  • This feature is not compatible with SPOTenantSyncClientRestriction. We recommend disabling SPOTenantSyncClientRestriction while you're using this preview, or using a test tenant.

  • If you create a new access policy after the device has authenticated, it may take up to twenty-four hours for the policy to take effect.

  • Mac is not yet supported for this preview.

  • This preview will not automatically take over sync from groove.exe. If you are already syncing with groove.exe, it will continue to sync after you set up the Next Generation Sync Client. (We are working on a fix for this issue.)

  • In some cases the user may be prompted for credentials twice. We are working on a fix for this issue.

  • Certain ADFS configurations may require additional setup to work with this preview. Please run the following command on your ADFS server to ensure FormsAuthentication is added to the list of PrimaryIntranetAuthenticationProvider:

    Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication')

Reporting problems

Please let us know if you run into any problems while using this preview.

To report a problem
  1. Right-click the blue OneDrive icon in the system tray.

  2. Click Report a problem.

  3. Type a brief description of your issue, and then click OK. You will receive an email notification with a support ticket number to track your issue.

See Also

Get started with the OneDrive for Business Next Generation Sync Client in Windows

Plan to deploy the OneDrive for Business Next Generation Sync Client in an enterprise environment

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!