Your OneDrive for Business account shows a sync error, but you know your credentials and license are correct. The sync client displays a message that sync is blocked, even though you have full access to OneDrive through the browser. This problem occurs when a Microsoft 365 tenant administrator has enabled a sync restriction policy that prevents the OneDrive sync app from connecting from your device or network.
Sync restrictions are configured in the Microsoft 365 admin center and the Azure Active Directory Conditional Access policies. These settings can block sync based on device compliance, IP address location, or app-level permissions. When a restriction is too broad or misconfigured, it can block legitimate business users who should have sync access.
This article explains the specific tenant policies that cause sync blocks, provides step-by-step instructions to identify and resolve the restriction, and covers related failure patterns you may encounter. You will learn how to check sync settings, modify Conditional Access policies, and verify that your account is no longer blocked.
Key Takeaways: Resolving Tenant Sync Restrictions for OneDrive
- Microsoft 365 admin center > Settings > Org Settings > OneDrive > Sync: Controls whether users can sync OneDrive files. If disabled, all sync is blocked for the tenant.
- Azure AD Conditional Access > Policies > Grant > Require compliant device: Blocks OneDrive sync from non-compliant devices. Users with valid accounts but non-compliant devices will see a sync error.
- Azure AD Conditional Access > Policies > Grant > Require approved client app: Blocks OneDrive sync from third-party or unapproved sync clients. The official OneDrive sync app must be used.
Why Your Valid Business Account Is Blocked from Syncing
When a valid business account cannot sync OneDrive files, the root cause is almost always a tenant-level policy. The Microsoft 365 admin center has a master switch that can disable OneDrive sync for all users. Additionally, Azure AD Conditional Access policies can block sync based on device compliance, location, or client app requirements.
The most common policies that block sync are:
- Sync disabled at the tenant level: In the Microsoft 365 admin center, under Org Settings > OneDrive > Sync, the option “Let users sync OneDrive files” may be turned off. This blocks all sync activity regardless of user permissions.
- Conditional Access policy requiring compliant device: If your device is not enrolled in Microsoft Intune or does not meet compliance requirements (e.g., missing antivirus, outdated OS), the policy blocks the OneDrive sync app from connecting.
- Conditional Access policy requiring approved client app: Some tenants restrict sync to the official OneDrive sync app and block third-party tools. Even if you use the official app, a misconfigured policy can still block it if the app is not marked as approved.
- IP address location restriction: A Conditional Access policy that blocks access from specific geographic locations or untrusted IP ranges can prevent sync from certain networks.
The error message in the OneDrive sync client usually says “Sync is blocked” or “Your organization blocked this device.” The user sees a valid license and browser access, but the sync client cannot connect. Understanding these policies helps you identify which one is causing the block.
Steps to Identify and Remove the Sync Restriction
To fix the sync block, you need to check the tenant-level sync setting and review Conditional Access policies. You must have Global Admin or Conditional Access Administrator privileges to make changes. If you are not an admin, contact your IT department with the specific policy names listed below.
Check the Tenant Sync Setting in the Microsoft 365 Admin Center
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has Global Admin or SharePoint Admin permissions. - Navigate to Org Settings
In the left navigation pane, select Settings and then Org Settings. - Open the OneDrive settings page
In the list of services, select OneDrive. - Verify the sync setting
On the OneDrive settings page, look for the option Let users sync OneDrive files. If this toggle is set to Off, turn it On and select Save. - Test sync
On the affected user’s device, open OneDrive sync client, sign out and sign back in, or restart the sync app. Check if the error is resolved.
Review Conditional Access Policies in Azure AD
- Open the Azure AD admin center
Go to entra.microsoft.com and sign in with a Global Admin or Conditional Access Administrator account. - Navigate to Conditional Access
In the left navigation, select Protection and then Conditional Access. - Review all policies
In the list of policies, look for any policy that targets All cloud apps or Office 365 or specifically OneDrive. Note the Grant and Conditions blocks. - Check for device compliance requirement
Open a policy that might block sync. Under Grant, if Require compliant device is selected, non-compliant devices are blocked. To allow sync from non-compliant devices, you can either remove this requirement or use a Session control instead of Grant. Do not disable the policy entirely without understanding its impact. - Check for approved client app requirement
Under Grant, if Require approved client app is selected, only apps that Azure AD recognizes as approved can sync. The official OneDrive sync app is approved. If the user uses a third-party tool, switch to the official app. If the official app is still blocked, ensure the policy includes Office 365 as a target cloud app. - Check location conditions
Under Conditions > Locations, if Any location is set to Block for specific IP ranges, users on those networks are blocked. Add the affected network to the allowed location list or modify the policy to exclude trusted IPs. - Test sync after each change
After modifying a policy, wait 1-2 minutes for propagation, then ask the affected user to restart the OneDrive sync client and attempt sync again.
If OneDrive Still Has Issues After the Main Fix
Sometimes the sync block persists even after the tenant setting and Conditional Access policies are corrected. The following scenarios explain additional causes and their fixes.
OneDrive Shows “Sync Is Blocked” After Policy Changes
The OneDrive sync client caches policy information. If you changed a policy but the client still shows the block, force a policy refresh. On the affected device, open OneDrive settings, go to the Account tab, and select Unlink this PC. Then set up sync again by signing in with the user’s credentials. This forces the client to download the latest policies from the tenant.
User Account Is Not Licensed for OneDrive
Even if the tenant sync setting is enabled, a user without a valid OneDrive license cannot sync. In the Microsoft 365 admin center, go to Users > Active Users, select the affected user, and verify that a license that includes OneDrive (such as Microsoft 365 Business Basic, Standard, or Premium) is assigned. If the license is missing, assign it and wait 30 minutes before testing sync.
OneDrive Sync Client Version Is Too Old
Some Conditional Access policies require the latest version of the OneDrive sync client. If the user is running an outdated version, the client may be blocked even if the policy is correctly configured. Instruct the user to download the latest OneDrive sync client from microsoft.com and install it. After installation, restart the client and test sync.
Tenant Sync Restriction vs Conditional Access Block: Key Differences
| Item | Tenant Sync Restriction | Conditional Access Block |
|---|---|---|
| Configuration location | Microsoft 365 admin center > Settings > Org Settings > OneDrive | Azure AD admin center > Protection > Conditional Access |
| Scope | Applies to all users in the tenant | Applies to selected users, groups, or all users based on policy conditions |
| Typical error message | “Your organization turned off sync” or “Sync is disabled by your admin” | “Your device is not compliant” or “Your organization blocked this device” |
| Cause of block | Master switch set to Off | Device non-compliance, unapproved app, or restricted location |
| Fix | Turn on the sync toggle in admin center | Modify the Conditional Access policy to allow the user’s device or network |
Both restrictions can coexist. If the tenant sync setting is Off, no user can sync regardless of Conditional Access policies. If the tenant sync setting is On, Conditional Access policies can still block individual users or devices. Check the tenant setting first, then review Conditional Access policies.
After resolving the sync restriction, the affected user can now sync OneDrive files from their device. To prevent future blocks, verify that your device is enrolled in Intune and meets compliance requirements if your tenant uses device-based Conditional Access. As an advanced tip, use the What If tool in Azure AD Conditional Access to test policy changes before applying them to live users. This avoids accidentally blocking multiple users with a misconfigured policy.