Azure Active Directory conditional access with the OneDrive sync client on Windows

Conditional access control capabilities in Azure Active Directory offers simple ways for you to secure resources in the cloud. The new OneDrive sync client works with the conditional access control policies to ensure syncing is only done with compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune).

For information about how conditional access works, see the following resources:

Getting started

Use the following steps on each computer.

To enable conditional access support on the new OneDrive sync client
  1. Download and install the new OneDrive sync client.

  2. Download and open EnableCAPreview.reg to enable the conditional access feature.

  3. Restart the sync client.

If you want to disable this feature, you can delete the registry key by running DisableCAPreview.reg. You need to restart the sync client for the change to take effect.

Known issues

The following are known issues with this release:

  • This feature is not compatible with SPOTenantSyncClientRestriction. We recommend disabling SPOTenantSyncClientRestriction while you're using this release, or using a test tenant.

  • If you create a new access policy after the device has authenticated, it may take up to twenty-four hours for the policy to take effect.

  • Mac is not yet supported for this release.

  • This release will not automatically take over sync from groove.exe. If you are already syncing with groove.exe, it will continue to sync after you set up the new OneDrive sync client. (We are working on a fix for this issue.) For instructions, see Transition from the previous OneDrive for Business sync client.

  • In some cases the user may be prompted for credentials twice. We are working on a fix for this issue.

  • Certain ADFS configurations may require additional setup to work with this release. Please run the following command on your ADFS server to ensure FormsAuthentication is added to the list of PrimaryIntranetAuthenticationProvider:

    Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication')

  • If you enable location-based conditional access, users will need to sign in immediately when they leave the set of approved IP address ranges. While outside of the set of approved IP address ranges, they will need to sign in again every time their access expires (every 90 minutes by default).

Reporting problems

Please let us know if you run into any problems while using this release.

To report a problem
  1. Right-click the blue OneDrive icon in the notification area, at the far right of the taskbar.

  2. Click Report a problem.

  3. Type a brief description of your issue, and then click OK. You will receive an email notification with a support ticket number to track your issue.

See Also

Deploy the new OneDrive sync client

Get started with the new OneDrive sync client in Windows

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!