Restrict Access to OneDrive to Specific AD Groups

This is a quick post in which I will show you how to restrict access to OneDrive to specific AD groups. This is useful when you want to limit access to OneDrive to only a few users in your organization. This feature is available in the SharePoint admin center under Policies > Access Control > OneDrive access restrictions. If you don’t see this option it means you don’t have the required subscription.

Limitations

• Only available with Office E5/A5, Microsoft E5/A5 or SharePoint Premium subscriptions.
• Maximum of 10 AD groups can be added to the list.

Test Results: Open OneDrive

I decided to access OneDrive as a user that is not part of any of the allowed AD groups. Here are the results:

Why would you want to do this?

In my case, I had need to migrate a file share to OneDrive. I needed to find a way to restrict access to only a few users. It helped me to control the migration process and ensure users were not accessing the files before the migration was complete.

Can I simply remove the user’s access to the files?

Yes, you can remove the user’s access, but this can be time-consuming if you have a lot of OneDrive users. You will also need to use PowerShell. Another gotcha is that OneDrive sites don’t get provisioned until the user accesses them for the first time. This means that even if you think you have removed access, the user can still provision more OneDrive sites.

Conclusion

This is a great feature that can help you to restrict access to OneDrive to only a few users. It is easy to set up and can be done in a few minutes. If you have the required subscription, I recommend you give it a try.