OneDrive sync from unmanaged devices is blocked
sharepoint_onedrive_sync_restricted_unmanaged_devices
Microsoft 365 SharePoint tenant settings for OneDrive sync enforce that only managed, domain-joined devices can sync. The evaluation looks for a configured list of approved domain GUIDs that limits syncing to specific Active Directory domains.
Risk
Without this restriction, users can sync SharePoint/OneDrive files to unmanaged devices, undermining:
- Confidentiality: data copied to personal or lost endpoints, outside DLP.
- Integrity: malicious edits synced back to sites.
- Availability: mass deletion or ransomware can propagate via sync clients.
prowler m365 --checks sharepoint_onedrive_sync_restricted_unmanaged_devices
Recommendation
Allow OneDrive sync only from managed, domain-joined devices by maintaining an approved domain GUIDs list. For Entra-joined devices, require device compliance via Conditional Access. Apply least privilege, use DLP/sensitivity labels, and periodically review exceptions.
Remediation
Set-SPOTenantSyncClientRestriction -Enable -DomainGuids '<DOMAIN_GUID>'
- Go to the SharePoint admin center: https://admin.microsoft.com/sharepoint
- Select Settings > Sync
- Check "Allow syncing only on computers joined to specific domains"
- Enter at least one AD domain GUID (separate multiple GUIDs with semicolons)
- Click Save
Source Code
Resource Type
NotDefined