Enable conditional access support in the OneDrive sync app

Conditional access control capabilities in Microsoft Entra ID offer simple ways for you to secure resources in the cloud. The new OneDrive sync app works with the conditional access control policies to ensure syncing is only done with compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune).

For information about how conditional access works, see:

• Microsoft Entra Conditional Access

• Require managed devices for cloud app access with conditional access

• Configure Microsoft Entra hybrid join for managed domains

• Control access from unmanaged devices

Recommendations for Windows

We recommend using this feature on Windows together with silent account configuration for the best experience. The OneDrive sync app supports both device-based and location-based conditional access policies.

Known issues

The following are known issues with this release:

• If you create a new access policy after the device has authenticated, it may take up to 24 hours for the policy to take effect.

• In some cases, the user may be prompted for credentials twice. We're working on a fix for this issue.

• Certain AD FS configurations may require additional setup to work with this release. Run the following command on your AD FS server to ensure FormsAuthentication is added to the list of PrimaryIntranetAuthenticationProvider:

  Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication')

• If you enable location-based conditional access, users get a prompt about every 90 to 120 minutes by default when they leave the set of approved IP address ranges. The exact timing depends on the access token expiry duration (60 minutes by default), when their computer last obtained a new access token, and any specific conditional access timeouts put in place.