June 20, 2017

Restrict OneDrive For Business Access

810 Views

OneDrive For Business is an integrated service in O365 which originates with its root in SharePoint online. And a very generic need in most of the organization is that they do not want their users to be able to sync files and folders from OneDrive For Business or a part of users to be restricted from use of this feature. The challenge is, how this can be prevented for users when they may have already started syncing their files. This article shows you the ways, which are more essential and the precautionary steps needed to implement this.

Caution: Before the implementation, every user must be informed to take the backup of files which have already been uploaded to OneDrive.

Step 1: Disabling OneDrive Icon from the app-launcher.

This steps are needed to wrap up the situation when we have not planned yet that how many users in the organization will be allowed to use the OneDrive and based on that, we will be creating a security group and adding the users to that group. In addition, the new users created in that time should not able to see the OneDrive for Business icon and create the personal site. Hence, we want this icon to disappear for all the users. However, the existing sync will still be same. To do that, go to the SharePoint admin Center >> Settings >> At the "Show or Hide Options" for OneDrive for Business, toggle to "Hide" button.

Then scroll down and there is one more choice to hide "OneDrive Sync Button" and we need to toggle to "Hide the Sync button".

After the change, the OneDrive icon will not appear in app-launcher for all users.

Step 2: Removing permission to prevent users from automatic creation of personal site.

Login as Global Admin in the tenant, Open “SharePoint Admin Center” then Go to "User Profiles" and Click on "Manage User Permissions"

Here, we will remove the permission for group of users or everyone and they will not be able to create personal site and sync files using OneDrive apps.

Step 3: Breaking communication of synced files in personal site.

To stop syncing of existing files and folders, we need to break down the communication created by users. The way to do it, the personal site needs to be dropped. This is only the synchronization channel made to sync files using OneDrive app and web.

The site URL for the OneDrive sync will look like here https://<tenantname>.my.sharepoint.com/personel/<username>_<tenantname>_onmicrosoft_com/_layouts/15/OneDrive.aspx

Now change the switch at the end "OneDrive.aspx” to "Deleteweb.aspx". and Click the "Delete" button.

Double check that you are doing for right person and click the “OK” button.

After that the personal site will not be accessible for the user.

And the synchronization will be stopped.

Caution: But the above steps are requires user credential and you won’t be allowed to remove personal site for others, even you are the Global Admin for this tenants. Keep reading to know how you can do it for all the users.

Step 4: Adding site collection owner (administrative access to others personal site).

Here we will remove the personal site of other users administratively. Hence, we need to add Global Admin as “Site Collection” owner. Login as “Global Admin” and Open “SharePoint Admin Center” then Go to “User Profiles” and under the “People” click on “Manage User profiles”.

Search for the User Profile for whom you wish to delete the OneDrive site. Select drop down menu against the User Profile. Select "Manage site collection owners"

Add the Global Admin in "Primary Site Collection Administrator" and "Site Collection Administrator".

Again select the drop down list against the displayed userprofile and select "Manage Personal Site"

And here the Global Admin will get the access of "Personal Site".

We will change the switch "Deleteweb.aspx" replacing the switch "OneDrive.aspx" in the url to invoke the hidden delete site page. After that we will be able to remove the Personal Site.

Click "OK" to go ahead.

Step 5: Enabling OneDrive For Business only for specific users

If the managemnet of the organization decides that OneDrive will be allowed for specific group of users then we need the work around to make it work. Here, we will show the process to do it.

So, the sync button must be set to show at the tenant level unlike the previous step where we had set to  “hide”. This will allow the icon appear to all users in app-launcher but users won’t be able to access the onedrive since we have removed permission for all the users and removed the personal site.

If user want to reconfigure the OneDrive using his credential they can’t do it either.

They will get the error like below.

If they try to access in web by clicking “OneDrive” icon, they will be automatically redirected to “Delve”.

Now we want the specific group of user to be allowed to use “OneDrive”.  Hence, we will add the specific user or security group and enable “Create Personal Site”. Then they will able to accecss OneDrive.

Refer Step 2 to open site permission of a specific user onedrive page and the permission dialog is opened up as below:

Select appropriate permission level you wish to add as shown below.

Viewers please leave your comment if any of the area we need to be more descriptive or anything which is needed more clarity. Thanks for reading this.

Leave a Reply

Your email address will not be published. Required fields are marked *