You configured OneDrive sync policies in the Microsoft 365 admin center, but those policies are not applying to devices that are Entra joined. This usually happens because the OneDrive sync policy targets a specific device group, but the Entra joined device is not in that group or the policy is configured for hybrid joined devices only. This article explains why the policy fails and provides the exact steps to fix the configuration so that sync restrictions, Known Folder Move, and file type blocking apply to Entra joined devices.
Key Takeaways: Fixing OneDrive Sync Policy for Entra Joined Devices
- Microsoft 365 admin center > Settings > OneDrive > Sync: Controls tenant-wide sync restrictions, file type blocking, and Known Folder Move behavior.
- Group Policy Management Console > Computer Configuration > Administrative Templates > OneDrive: Applies sync settings to Windows devices via on-premises Group Policy, but does not target Entra joined devices unless linked to the Entra device group.
- Microsoft Intune > Devices > Configuration profiles > OneDrive: The correct method to push OneDrive policies to Entra joined devices, using the OneDrive ADMX settings imported into Intune.
Why OneDrive Sync Policies Do Not Apply to Entra Joined Devices
OneDrive sync policies in the Microsoft 365 admin center are tenant-wide settings that apply to all users, but they rely on the user signing in with an Entra ID account. When a device is Entra joined, the user signs in with their Entra ID credentials, so the tenant-wide policy should apply. However, if you are using Group Policy Objects from on-premises Active Directory, those GPOs will not apply to Entra joined devices because those devices do not have a trust relationship with on-premises domain controllers.
The most common cause is mixing policy deployment methods. For example, you might have configured sync restrictions in the admin center, but also deployed a conflicting GPO that blocks sync for certain file types. The Entra joined device ignores the GPO, so the tenant-wide setting is the only policy in effect. Another cause is that the policy is scoped to a security group that does not include the Entra joined device or the user signed into it.
Tenant-Wide Policy vs Device-Specific Policy
The Microsoft 365 admin center sync policy applies to every user in the tenant. It does not care if the device is Entra joined, hybrid joined, or unmanaged. If the policy is not applying, check that the user is licensed for OneDrive and that the policy is not overridden by a higher-priority setting from Intune or Group Policy. For Entra joined devices, Intune policies take precedence over tenant-wide settings.
Group Policy Inheritance and Entra Joined Devices
Entra joined devices do not process on-premises Group Policy at all. If you have been using GPOs to control OneDrive behavior, those GPOs will not reach Entra joined devices. You must use Microsoft Intune to deploy the same settings. Without Intune, the device receives only the tenant-wide settings from the admin center and the default OneDrive client settings.
Steps to Apply OneDrive Sync Policy to Entra Joined Devices
Follow these steps to ensure that OneDrive sync policies apply to Entra joined devices. The process uses Microsoft Intune to deploy the OneDrive ADMX settings.
- Verify the tenant-wide sync policy in the admin center
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Settings > Org settings > OneDrive > Sync. Confirm that the settings you want, such as blocking specific file types or enabling Known Folder Move, are enabled. This policy applies to all users regardless of device type. - Download the latest OneDrive ADMX files
On a Windows 10 or Windows 11 computer, download the OneDrive ADMX templates from the Microsoft Download Center. Extract the files. You need the OneDrive.admx and OneDrive.adml files. - Import the OneDrive ADMX into Intune
Sign in to the Microsoft Intune admin center at intune.microsoft.com. Go to Devices > Configuration profiles > Create > New policy. Select Windows 10 and later as the platform and Templates > Administrative Templates as the profile type. Click Create. On the Configuration settings tab, click Add and upload the OneDrive.admx file. Then add the OneDrive.adml language file. - Configure the OneDrive sync policy settings
After importing the ADMX, browse to OneDrive > OneDrive Settings. Configure the settings you need, such as Silently move Windows known folders to OneDrive, Prevent users from syncing specific file types, or Set the maximum file size for syncing. Each setting has a description that explains its behavior. - Assign the policy to the correct device group
On the Assignments tab, select a Microsoft Entra ID group that contains the Entra joined devices. You can use a dynamic device group that includes all Entra joined devices. Click Next and complete the policy creation. - Wait for the policy to apply and verify
Intune policies apply during the next sync cycle, which occurs every 8 hours by default. You can trigger a manual sync on the device by going to Settings > Accounts > Access work or school, selecting the device, and clicking Sync. After the sync, open OneDrive and verify that the policy is active. For example, if you blocked .exe files, try to sync a file with that extension and confirm it is blocked.
If OneDrive Sync Policy Still Does Not Apply
Policy shows as pending in Intune
If the policy status in Intune is Pending for more than 24 hours, the device may not be checking in. Verify that the device is enrolled in Intune and that it has network connectivity. Go to Devices > Windows > Windows devices in Intune and check the last check-in time. If the device has not checked in, restart the device or re-enroll it.
User is not licensed for OneDrive
Even with the correct Intune policy, the sync policy will not apply if the user does not have a OneDrive license. Verify that the user is assigned a license that includes OneDrive for Business, such as Microsoft 365 Business Basic, Standard, or Premium. Go to the Microsoft 365 admin center, select Users > Active users, choose the user, and verify the license assignment.
Conflicting policies from multiple sources
If you have both an Intune policy and a tenant-wide policy, the Intune policy takes precedence. However, if you also have an on-premises GPO that applies to a hybrid joined device, the GPO may override the Intune policy. For Entra joined devices, this is not an issue because GPOs do not apply. To check for conflicts, review all configuration profiles in Intune and ensure only one profile sets each OneDrive setting.
OneDrive client version is outdated
Some newer policy settings require the latest OneDrive sync client. On the Entra joined device, check the OneDrive version by right-clicking the OneDrive icon in the system tray and selecting Settings > About. The version should be 22.245 or later for full policy support. If the client is outdated, update it from the OneDrive website or use Intune to deploy the update.
Tenant-Wide Policy vs Intune Policy: Key Differences
| Item | Tenant-Wide Policy (Admin Center) | Intune Policy (Administrative Templates) |
|---|---|---|
| Scope | All users in the tenant | Assigned device groups or user groups |
| Device type support | All devices including unmanaged, Entra joined, and hybrid joined | Windows 10 and 11 devices managed by Intune |
| Known Folder Move | Can enable for all users, but does not force silent move | Can configure silent move with or without user interaction |
| File type blocking | Block sync of specific file extensions | Same setting, but can be scoped to specific devices |
| Conflict resolution | Overridden by Intune or GPO settings | Takes precedence over tenant-wide policy |
Use the tenant-wide policy as a baseline and Intune policies for granular control over Entra joined devices. This combination ensures that all devices receive the core settings while Entra joined devices get the device-specific restrictions.
You can now apply OneDrive sync policies to Entra joined devices by using Intune Administrative Templates instead of relying on on-premises Group Policy. Next, review your existing Intune configuration profiles to remove any duplicate OneDrive settings that may cause conflicts. For advanced control, create separate Intune policies for different device groups, such as one for kiosk devices and another for corporate laptops.