IBP – OneDrive – Restrict File Sync to Tenant ID

✅ Enforce OneDrive tenant‑restricted file synchronisation, meeting Essential Eight – User Application Hardening (Maturity Level 1) requirements.

➡️ This policy ensures Windows devices can only sync OneDrive files with the organisation’s tenant.

✅ Devices: All Windows 10 / 11 devices
🚫 Exclusions: None

➡️ Every managed Windows device must use the organisation’s OneDrive tenant only.

✅ Service: Microsoft OneDrive (File Sync Client)
✅ Accounts: Organisational tenant only
✅ Platforms: Windows 10 / 11

➡️ Sync access to personal or external OneDrive tenants is blocked.

✅ OneDrive sync restricted to approved tenant ID only
✅ Personal Microsoft accounts blocked
✅ External / partner tenants blocked
✅ User bypass not possible

➡️ Corporate files cannot be synced outside the organisation.

ℹ️ Note: This control prevents accidental or malicious data exfiltration via OneDrive without impacting normal business workflows.

🚫 Conditional Access sign‑in controls
🚫 Device compliance checks
🚫 File classification or DLP rules
🚫 OneDrive sharing permissions

➡️ These controls are intentionally handled by separate IBP and M2/M3 policies.

✅ Enabled
✅ Assigned to all devices
✅ Actively enforcing tenant‑restricted OneDrive sync

✅ Meets Essential Eight – User Application Hardening (Maturity Level 1)
✅ Prevents unauthorised cloud storage usage
✅ Reduces data leakage and shadow IT risk
ℹ️ Advanced cloud storage controls and DLP uplift are addressed in Maturity Levels 2 and 3

This OneDrive policy ensures that:

✅ Corporate files
✅ On Windows devices
✅ Can only be synced to the organisation’s OneDrive tenant
✅ And cannot be uploaded to personal or external cloud storage

This establishes a high‑value, low‑impact storage security baseline required by Essential Eight Maturity Level 1 and provides a clear foundation for stronger cloud data protection in higher maturity levels.