If you manage OneDrive for a company, you might need to block access for certain teams while keeping it active for others. For example, a group handling sensitive data may not be allowed to sync files to personal cloud storage. This article explains how to disable OneDrive for a specific user group using Group Policy, Microsoft 365 admin center settings, and PowerShell. You will learn the exact steps to target only one group without affecting the rest of the organization.
Key Takeaways: Disable OneDrive for a Specific Group
- Group Policy > Computer Configuration > Administrative Templates > OneDrive: Use the “Prevent the usage of OneDrive for file storage” policy to disable the sync app on targeted computers.
- Microsoft 365 admin center > Settings > Org settings > OneDrive > Sync: Block sync for a security group by entering its email alias in the “Block sync on devices running Windows” field.
- SharePoint Online Management Shell > Set-SPOTenantSyncClientRestriction: PowerShell cmdlet to apply sync restrictions at the tenant level for specific groups.
Why You Need to Disable OneDrive for a Specific Group
OneDrive is enabled by default for all users in a Microsoft 365 tenant. When you need to restrict access for a specific group, you cannot simply turn off the service for individual users in the admin center. The sync app can be blocked using Group Policy on domain-joined Windows devices, or you can restrict sync at the tenant level using the Microsoft 365 admin center or PowerShell. Each method targets a different layer: Group Policy controls the local installation and behavior of the sync client, while admin center settings block the sync ability for specific users across all devices. Choose the method that matches your environment and the level of control you need.
Method 1: Using Group Policy to Disable OneDrive for a Specific Group
Group Policy applies settings to computers in an Active Directory domain. To target a specific user group, you create a Group Policy Object, link it to an organizational unit containing those users, and configure the OneDrive policy. This method prevents the OneDrive sync app from running on the targeted machines.
- Download the OneDrive Group Policy Administrative Templates
Go to the Microsoft Download Center and search for “OneDrive Group Policy Administrative Templates.” Download the OneDrive.admx and OneDrive.adml files. Copy them to the Central Store on your domain controller or to the PolicyDefinitions folder on the local machine. - Open Group Policy Management Console
On a domain controller or a machine with RSAT tools installed, press Windows + R, type gpmc.msc, and press Enter. - Create a new GPO
Right-click the organizational unit that contains the users you want to block. Select Create a GPO in this domain, and Link it here. Name the GPO, for example, “Block OneDrive for Finance Group.” - Edit the GPO
Right-click the new GPO and select Edit. Navigate to Computer Configuration > Administrative Templates > OneDrive. - Enable the policy
Double-click Prevent the usage of OneDrive for file storage. Select Enabled, then click OK. - Apply security filtering
In the GPMC, select the GPO. In the right pane, click the Delegation tab, then click Advanced. Remove Authenticated Users from the Security Filtering list. Add the security group that should not use OneDrive, for example, “Finance Users.” Ensure the group has Read and Apply Group Policy permissions set to Allow. - Force a policy update
On the target machines, run gpupdate /force in an elevated Command Prompt. The OneDrive sync app will stop working and will not restart.
Method 2: Using Microsoft 365 Admin Center to Block Sync for a Group
This method blocks the sync client from syncing files for specific users, but does not uninstall the app. Users in the blocked group will see a red X on their OneDrive icon and receive an error message when trying to sync.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Admin or SharePoint Admin account. - Go to Org settings
In the left navigation, select Settings, then Org settings. - Open OneDrive settings
Scroll down and click OneDrive. - Configure sync restrictions
Under the Sync tab, locate Block sync on devices running Windows. Enter the email alias of the security group you want to block, for example, “finance@contoso.com.” Click Save. - Wait for propagation
Changes take effect within a few minutes. Users in the specified group will see the sync blocked message the next time they sign in to OneDrive.
Method 3: Using PowerShell to Disable OneDrive Sync for a Specific Group
PowerShell gives you more granular control and is useful for scripting across multiple tenants or groups. You use the SharePoint Online Management Shell to set the sync client restriction.
- Install the SharePoint Online Management Shell
Open an elevated PowerShell window and run Install-Module -Name Microsoft.Online.SharePoint.PowerShell. If prompted, confirm the installation. - Connect to SharePoint Online
Run Connect-SPOService -Url https://contoso-admin.sharepoint.com. Sign in with a SharePoint Admin or Global Admin account. - Get the current sync restriction settings
Run Get-SPOTenantSyncClientRestriction. Note the current state of ExcludedFileExtensions, BlockMacSync, and DomainGuids. - Set the restriction for the group
Run Set-SPOTenantSyncClientRestriction -BlockSyncOnWindows $true -DomainGuids @(“your-group-guid”). Replace your-group-guid with the GUID of the security group. To find the GUID, run Get-AzureADGroup -SearchString “Finance Users” | Select-Object ObjectId in the Azure AD module. - Verify the restriction
Run Get-SPOTenantSyncClientRestriction again to confirm the settings. Users in the specified group will be blocked from syncing.
Common Mistakes and Issues When Disabling OneDrive for a Group
Group Policy does not apply to the targeted users
If the GPO uses security filtering but the group is nested, the policy may not apply. Make sure the security group is a direct member of the OU where the GPO is linked. Also verify that the GPO has Read and Apply Group Policy permissions for the group.
Users can still sync via web browser or mobile app
The methods described above block the sync client on Windows only. Users can still access OneDrive files through a web browser or the mobile app. To block all access, you would need to remove the SharePoint Online license or use Conditional Access policies in Azure AD.
Admin center sync restriction does not show the group in the dropdown
The admin center field expects the email alias of a mail-enabled security group or a distribution group. If the group is not mail-enabled, the setting will not accept it. Create a mail-enabled security group in the Exchange admin center or Azure AD, then add the users to that group.
Group Policy vs Admin Center vs PowerShell: Comparison of Methods
| Item | Group Policy | Microsoft 365 Admin Center | PowerShell |
|---|---|---|---|
| Target | Computers in an OU | Users in a mail-enabled security group | Users in a security group by GUID |
| Scope | On-premises domain-joined Windows devices | All Windows devices, including non-domain | All Windows devices in the tenant |
| Requires on-premises Active Directory | Yes | No | No |
| Uninstalls the sync app | No, only blocks usage | No, only blocks sync | No, only blocks sync |
| Propagation time | After gpupdate or reboot | A few minutes | Immediate |
Choose Group Policy if you manage devices in a domain and need to enforce the setting on the machine level. Choose the admin center or PowerShell if you manage users directly in Microsoft 365 and want to block sync across all devices without touching local Group Policy.
Now you can disable OneDrive for a specific user group using Group Policy, the Microsoft 365 admin center, or PowerShell. Start by identifying the group that needs restricted access. Then apply the method that fits your infrastructure. For a more permanent solution, consider using Conditional Access policies to block all access to OneDrive and SharePoint for that group, leaving only web access if needed.