Enable OneDrive domain sync restrictions

One of the admin controls that has recently been added to OneDrive for Business is the ability to restrict file sync to only work on domain joined machines. Here’s how you enable this:

First, you need to get the domain GUID by running the following command in PowerShell:

$domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -Identity $d | Select ObjectGuid}

Next, set the domain GUID as the only accepted domain for OneDrive sync:

Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "xxxxxxx-xxxx-415c-aa3b-9d06b595c714"

That’s really all there is to it – if you need to undo these changes and open sync back up again, simply run the following command:

Remove OneDrive domain sync restrictions:


When this feature is enabled the following will occur: (pulled directly from the TechNet article)

  • All OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list will be blocked.
  • All OneDrive for Business Mac Sync client requests will be blocked.
  • Mobile clients are not blocked when this feature is enabled.
  • Regardless whether a computer is managed by a device management solution, a sync relationship will not be established unless they are joined to a domain in the Safe Recipient List.
  • Any files that have been previously been synced down to your computer will not be deleted.
  • Please be aware the following upload behavior:
    • New or existing files added to the client will still be uploaded to the server and will not be blocked.
      • Regardless if the computer is joined to a domain which is set in the Safe Recipient List.
      • Regardless if the computer is joined to a domain which is not set in the Safe Recipient List.
      • And for all non-domain joined computers.
  • OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.


For more information, see the following articles:
How to enumerate a domain GUID in an Active Directory forest: https://technet.microsoft.com/en-us/library/dn938435.aspx
Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list: https://technet.microsoft.com/en-us/library/dn917452.aspx

One thought on “Enable OneDrive domain sync restrictions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.