When you manage OneDrive for Business for your organization, controlling which devices can sync files is a critical security measure. Without sync restrictions, users can sync corporate data to unmanaged or personal computers, increasing the risk of data leakage. This article explains how to configure tenant sync restrictions using the Microsoft 365 admin center and PowerShell. You will learn to block sync on unmanaged devices, restrict sync to specific IP ranges, and enforce device compliance rules.
Key Takeaways: Configuring OneDrive Tenant Sync Restrictions
- Microsoft 365 admin center > Settings > OneDrive > Sync: Controls tenant-wide sync restrictions, file type blocking, and Known Folder Move behavior.
- PowerShell Set-SPOTenantSyncClientRestriction cmdlet: Enables or disables sync on unmanaged devices and sets allowed IP ranges.
- Conditional Access policy in Azure AD: Requires compliant or domain-joined devices before OneDrive sync is allowed.
Understanding Tenant Sync Restrictions in OneDrive for Business
Tenant sync restrictions are policies that control where and how users can sync OneDrive files. The main goal is to prevent data from being synced to devices that are not managed by your organization. These restrictions work at the tenant level and apply to all users unless you create exceptions.
There are three primary layers of sync restrictions:
1. Device Platform Restriction
You can block sync entirely on Windows, macOS, Android, or iOS devices. This is useful if your organization only supports a specific operating system.
2. Unmanaged Device Restriction
This setting blocks sync on devices that are not joined to Azure AD or not marked as compliant in Intune. When enabled, users see an error message in OneDrive and cannot sync any files.
3. IP Range Restriction
You can define a list of allowed public IP addresses. Sync only works when the device is connected from one of those IP ranges. This is commonly used to restrict sync to corporate office locations.
Before configuring any of these restrictions, you must have the SharePoint admin role or the Global admin role in Microsoft 365. You also need a license that includes Azure AD Premium P1 for Conditional Access policies.
Steps to Configure Sync Restrictions Using the Microsoft 365 Admin Center
The easiest method for most administrators is using the built-in sync settings in the admin center.
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with your Global admin or SharePoint admin account. - Navigate to OneDrive settings
In the left navigation, expand Settings and select Org settings. Scroll down to OneDrive and click it. - Open the Sync tab
In the OneDrive settings pane, click the Sync tab at the top. - Enable sync restrictions
Under Sync restrictions, check the box Block sync on unmanaged devices. Optionally, check Block sync on specific device platforms and select the platforms to block. - Set IP range restrictions
If you want to restrict sync to specific IP ranges, check Allow sync only on devices that connect from specific IP ranges. Enter the IP addresses in CIDR notation, one per line. For example, 203.0.113.0/24. - Save the settings
Click Save at the bottom of the pane. The changes apply within 15 minutes to all users.
Steps to Configure Sync Restrictions Using PowerShell
PowerShell gives you more control, especially if you need to apply settings across multiple tenants or automate the process.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator and run Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Press Y to confirm. - Connect to SharePoint Online
Run Connect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replace yourtenant with your actual tenant name. Sign in with your admin credentials. - Block sync on unmanaged devices
Run Set-SPOTenantSyncClientRestriction -BlockSyncOnUnmanagedDevices $true. This applies the restriction tenant-wide. - Set allowed IP ranges
Run Set-SPOTenantSyncClientRestriction -ExcludedIPRanges @(“203.0.113.0/24″,”198.51.100.0/24”). Replace the IP ranges with your own. Use the ExcludedIPRanges parameter — it defines the allowed IP ranges. - Verify the settings
Run Get-SPOTenantSyncClientRestriction to confirm that BlockSyncOnUnmanagedDevices is True and ExcludedIPRanges contains your IP ranges.
Using Conditional Access for Granular Device Control
For more advanced scenarios, such as requiring a specific operating system version or a compliant device, use Azure AD Conditional Access.
- Open Azure AD Conditional Access
Go to portal.azure.com, navigate to Azure Active Directory > Security > Conditional Access. - Create a new policy
Click + New policy. Give it a name, such as OneDrive Sync – Require Compliant Device. - Assign the policy to OneDrive
Under Assignments > Cloud apps or actions, click Select apps. Search for Office 365 SharePoint Online and select it. This covers OneDrive sync. - Set conditions
Under Conditions > Device platforms, choose the platforms you want to include. Under Client apps, check Mobile apps and desktop clients. - Require compliant device
Under Grant, select Grant access. Check Require device to be marked as compliant. Optionally, check Require Hybrid Azure AD joined device. - Enable the policy
Set Enable policy to On and click Create.
Common Issues and Exceptions
Users see error “Sync is blocked by your IT admin”
This error appears when the device is not compliant or not joined to Azure AD. Check the device compliance status in Intune or Azure AD. If the device is managed but still blocked, verify that the Conditional Access policy includes the correct client app condition.
IP range restriction blocks legitimate users
If users report sync failures when working from home, the home IP address is likely not in your allowed IP range. Add the home IP range to the ExcludedIPRanges parameter in PowerShell. Alternatively, use Conditional Access with a trusted network location instead of hard-coded IP ranges.
Sync restrictions do not apply to all users
Check if you have created any exception groups. In the admin center sync settings, you can add specific users or groups that are exempt from restrictions. Remove those exceptions if you want the policy to apply to everyone.
OneDrive Sync Restriction Methods: Admin Center vs PowerShell vs Conditional Access
| Item | Microsoft 365 Admin Center | PowerShell | Azure AD Conditional Access |
|---|---|---|---|
| Ease of use | Very easy, GUI-based | Moderate, requires scripting knowledge | Moderate, requires Azure AD P1 license |
| Device platform control | Yes, block Windows/macOS/Android/iOS | No direct parameter, use Conditional Access | Yes, select specific platforms |
| IP range restriction | Yes, enter CIDR ranges | Yes, via ExcludedIPRanges parameter | Yes, via named locations |
| Require compliant device | No | No | Yes |
| Apply to specific groups | Yes, via exclusion list | No | Yes, via policy assignments |
Use the admin center for quick, tenant-wide restrictions. Use PowerShell for automated or bulk configurations. Use Conditional Access when you need granular device compliance requirements or location-based access control.
You can now configure tenant sync restrictions in OneDrive for Business using three different methods. Start by blocking sync on unmanaged devices in the admin center to reduce data leakage risks. If you need to enforce device compliance, create a Conditional Access policy that requires compliant or hybrid Azure AD joined devices. For advanced automation, use the Set-SPOTenantSyncClientRestriction PowerShell cmdlet to manage IP ranges and sync blocks across multiple tenants.