OneDrive guide for enterprises
With OneDrive for Business, you can easily and securely store and access your files from all your devices. You can work with others regardless of whether they’re inside or outside your organization and terminate that sharing whenever you want. OneDrive helps protect your work through advanced encryption while the data is in transit and at rest in data centers. OneDrive also helps ensure that users adhere to your most rigorous compliance standards by enabling them to choose where their data lives and providing detailed reporting of how that data has changed and been accessed. OneDrive connects you to your personal and shared files in Microsoft Office 365, enhancing collaboration capabilities within Office 365 applications. With OneDrive on the web, desktop, or mobile, you can access all your personal files plus the files shared with you from other people or teams, including files from Microsoft Teams and SharePoint.
Why deploy OneDrive?
OneDrive provides a robust but simple-to-use cloud storage platform for small businesses, enterprises, and everything in between. Unlike other cloud storage providers, most of the advanced enterprise-focused features in OneDrive are available for every subscription type, enabling companies to use OneDrive in whatever way benefits their business the most – whether that’s simply a cloud-based file share for a small business or a highly utilized storage system that provides the basis for all collaboration within an enterprise. At its core, however, OneDrive enables you to securely share and work together on all your files. With OneDrive, you can:
Access files from all your devices. Access all your personal files and those files others share with you on all your devices, including mobile, Mac, and PC as well as in a web browser.
Share inside or outside your organization. Securely share files with people inside or outside your organization by using their email address, even if they don’t have a Microsoft Services Account. This common sharing experience is available in the web, mobile, and desktop versions of OneDrive.
Collaborate with deep Microsoft Office integration. Document coauthoring is available in the Office web apps, Office mobile apps, and Office desktop apps, helping you maintain a single working version of any file. Only OneDrive provides coauthoring capabilities in Office apps across all your devices.
Quickly find files that matter most. Finding content in your OneDrive is simplified through the intelligence of the Microsoft Graph application programming interface. This technology simplifies finding what’s important by providing file recommendations based on your relationship to other people, how you received various files, and when you last accessed them.
Protect your files with enterprise-grade security. OneDrive has many security and compliance features, enabling you to meet some of the strictest compliance requirements out there.
The Microsoft 365 family of products, which includes Office, Microsoft Outlook, SharePoint, Teams, OneDrive, and Yammer, provides a complete, intelligent, and secure solution to empower employees. Together, the Microsoft 365 applications unlock creativity and encourage teamwork through product integration and a simple user experience, all while providing intelligent security to help keep your data safe. In addition, Microsoft Graph enables you to interact with and report on the data within many of the Microsoft 365 applications.
Key OneDrive features
Unlike most other cloud storage providers, OneDrive makes most of its advanced features available to all subscription types. This gives smaller organizations the flexibility to use standard features out of the box, and configure advanced features based on the needs of their organization.
The features listed in this section address common customer concerns or specific compliance requirements, or provide unique functionality available only in OneDrive:
Known Folder Move
OneDrive Files On-Demand
Real-time team collaboration: Coauthoring in full versions of Microsoft Word, Excel, and PowerPoint
Seamlessly connecting files to conversations
Intelligent discover with OneDrive Discover view
OneDrive Files Restore
Data loss prevention (DLP)
Auditing and reporting
Encryption of data in transit and at rest
Customer-controlled encryption keys
Office 365 Customer Lockbox
Hybrid integration with SharePoint Server
OneDrive Multi-Geo storage locations
For a full list of feature availability across OneDrive plans, see Microsoft OneDrive. More in-depth descriptions for some of these features can be found below.
Known Folder Move
Known Folder Move makes it easier to move files in your users' Desktop, Documents, and Pictures folders to OneDrive. This lets users continue working in the folders they're familiar with and access their files from any device. It also helps you make sure your users' files are backed up in the cloud if anything happens to their device. For more info, see Redirect and move Windows known folders to OneDrive.
OneDrive Files On-Demand
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from within File Explorer without downloading them all to their device. The feature provides a seamless look and feel for both OneDrive and local files without taking up space on the local hard drive. Files that have not been downloaded have a cloud icon for their status, as shown below. For those files that have been downloaded, the status shows a green checkmark.
Natively, files will be downloaded only when you need to access them. However, if you plan to access a file while disconnected from the internet, you can simply make the file available offline by right-clicking it, and then selecting Always keep on this device. Alternatively, if you want to free space on your device and remove the downloaded copy of a file, right-click the file, and then select Free up space. The following image shows the right-click menu for OneDrive files on a computer running the Windows operating system.
For more information about OneDrive Files On-Demand, see Learn about OneDrive Files On-Demand.
OneDrive integrates with Outlook to allow seamless sharing of OneDrive files that appear just like email attachments. This feature provides a familiar sharing experience but centralizes storage of attachments in OneDrive, providing collaborative benefits such as version control typically lost when users email documents back and forth. In addition, you can configure sharing permissions on the files directly from within the Outlook client. See the following image for an example of a document in OneDrive being attached as a link to an email as well as the experience of changing the sharing permissions on the link.
To reduce the potential for confusion when users choose to add a copy versus a link to attached OneDrive files, you can set the default behavior of the Outlook client, as demonstrated in How to control default attachment state when you attach a cloud file in Outlook.
The OneDrive Files Restore feature enables users to restore files to any point over the past 30 days. To select the desired recovery time, OneDrive presents users with a histogram that shows file activity so that they can determine which recovered time meets their needs. From there, users can simply select the file history entry to which they want to restore, and all changes after that point will be rolled back. The following image shows the Files Restore experience for a user.
In addition, because the histogram shows individual activity on a file, users can employ this feature to quickly view their files’ modification history. For more information about this feature, see Restore your OneDrive.
OneDrive has a recycle bin similar to the one available on the Windows desktop. Deleted files are moved to the recycle bin and kept for a designated time before being permanently deleted. For work or school accounts, deleted files are purged after 93 days unless configured otherwise. For a demonstration of how the recycle bin works, see Restore deleted files or folders in OneDrive.
Auditing and reporting
OneDrive has detailed reporting and auditing capabilities for files it stores as well as for those files stored through other services that use OneDrive for storage, such as Microsoft SharePoint Online. In addition, you can audit individual file actions, including downloads, renames, and views.
The Office 365 admin center handles reporting for cloud services, including OneDrive. You can view historical information like storage usage by user and for the organization, total file and active file counts, and account activity. The following image shows an example of a OneDrive report in the Office 365 admin center: file usage over the past 30 days.
You can also export this information to a .csv file by selecting Export.
You can also consume this information in Power BI by using the Microsoft 365 usage analytics content pack. Using this content pack, you can visualize and analyze Office 365 usage data by using prebuilt graphs and charts or by creating custom reports to gain insights into how specific regions or departments within your organization are using Office 365. For more information this content pack, see Microsoft 365 usage analytics.
Encryption of data in transit and at rest
OneDrive uses advanced data-encryption methods between your client and the data center, between servers in the data center, and at rest. At rest, OneDrive uses disk encryption through BitLocker Drive Encryption and file encryption to secure your data. Each file is encrypted with its own encryption key; anything larger than 64 KB is split into individual chunks, each of which has its own encryption key locked in a key store.
Each file chunk is then randomly distributed among Microsoft Azure storage containers, and a construction map for the complete file is stored in a separate secure content database. For attackers to access the file, they would need all the file chunks, the keys, and the map—a highly improbable task. For more information about this process, see Data Encryption in OneDrive for Business and SharePoint Online.
Customer-controlled encryption keys
By using an Office 365 feature called service encryption with Customer Key, you can upload your own encryption keys to Azure Key Vault for use encrypting your data at rest in Azure data centers. Even though this encryption is done natively through BitLocker, customers can require the use of their own key to meet their security compliance requirements. Should users lose their key, they can retrieve a deleted key from the Recycle Bin for up to 90 days (based on your configuration). Before you can use this feature, however, you must create an Azure subscription and complete a few prerequisite steps. For detailed information about service encryption with Customer Key and how to configure it in your environment, see Controlling your data in Office 365 using Customer Key.
Office 365 Customer Lockbox
If a Microsoft support engineer needs to access your data to resolve an issue, that engineer is required to obtain approval from a Microsoft manager first. The Office 365 Customer Lockbox feature adds a requirement to that process: you must approve or reject that access before the support engineer can access your data. With Customer Lockbox, you can also set boundaries on how long the engineer can access your data, and all activity during that time is logged for auditing purposes. For more information about how to configure and use the Customer Lockbox feature, see Office 365 Customer Lockbox Requests.
Microsoft Trust Center
Microsoft Trust Center provides information about Microsoft’s trust policy, how Microsoft products help you protect your data and maintain your customers’ and users’ trust, and why you should trust Microsoft products with your data. The following two categories provide details about Office 365 and OneDrive data privacy, compliance, and security:
Office 365 Trust Center. Privacy, compliance, and cybersecurity are as important to Microsoft as they are to you. For information about how Office 365 can help you increase employee productivity while helping you safeguard your data, see Microsoft Office 365 in the Microsoft Trust Center. For information about why you should trust Microsoft, Office 365, and OneDrive with your data, see Office 365 Trust Center.
General Data Protection Regulation (GDPR). This new European Union regulation changes how companies are required to handle data and the transparency with which they collect it. Windows 10 and Office 365 with OneDrive give you GDPR-compliant tools; you simply need to incorporate those tools into your overall data integrity story. For answers to some common questions about GDPR compliance with OneDrive and SharePoint, see GDPR Compliancy with OneDrive and SharePoint. For a complete list of helpful resources about GDPR, see Resources for GDPR compliance. For additional helpful information about OneDrive, see the Microsoft OneDrive Blog.
OneDrive Multi-Geo storage locations
Multi-Geo is an Office 365 feature that allows organizations so span their storage over multiple Office 365 geo locations and specify in which of those to store users’ data. You can designate storage geographies on a per-user basis.
For multinational customers with data residency requirements, you can use this feature to ensure that each user’s data is stored in the geo location necessary for compliance. For more information about this feature, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
OneDrive is available in Office 365 U.S. Government plans. For information about these plans, see Office 365 U.S. Government.
Deployment and management options
You can deploy and manage OneDrive in many ways, but certain options make more sense in larger organizations than in smaller businesses and vice versa. For example, it likely wouldn’t make sense to have an enterprise management solution like Microsoft System Center Configuration Manager for a business that has just 10 employees. Table 1 outlines the deployment and management tools typically used for small businesses, medium-sized businesses, and enterprises.
Keep in mind that an organization in one size category would probably incorporate additional options from other size categories. This table is not intended to exclusively identify a technology with a specific business size.
|Size of organization||Deployment tools used||Management|
|Small business||Local installation||OneDrive admin center|
|Medium-sized business||Scripted installation or Microsoft Intune mobile device management (MDM)||Office 365 with MDM, OneDrive admin center, Intune mobile application management (MAM) or MDM|
|Enterprise||System Center Configuration Manager with Intune or Windows Autopilot||System Center Configuration Manger, Group Policy objects (GPOs), etc.|
Depending on where your organization fits in this table and the technologies available to you, you can choose which portion of this guide to use. For example, if you run a small business, you may want to keep your OneDrive deployment simple by installing the sync client manually on your employees’ computers and using the OneDrive admin center to manage a few settings for your users. Alternatively, if you’re running an enterprise, you may choose to deploy and manage OneDrive by using advanced tools like System Center Configuration Manager and Group Policy, and you could use the sections that correspond to those tools, instead. To accommodate various situations, the deployment and management portions of this guide are in a modular format so that you can consume the document in the way that best aligns with your deployment needs and capabilities. This format also provides visibility into alternate technologies to improve your current processes.
Client and app requirements. Even though you can upload, download, and interact with your OneDrive files from a web browser, the ideal OneDrive experience comes from the Windows and Mac sync clients and the iOS and Android mobile apps. With that in mind, OneDrive is available for most operating systems and browsers and requires minimal hardware. For a full list of client and app requirements for using OneDrive, see OneDrive system requirements.
License requirements. There are multiple methods by which you can acquire a license for OneDrive. However, a few OneDrive features are available only within certain licensing models. For information about the licensing requirements for OneDrive, its advanced features, and any special licensing required for them, see Office 365 plans.
When deploying any new technology, there’s always an ideal process to follow to ensure that you deploy it correctly. This section covers the high-level planning and deployment steps to help ensure that your OneDrive deployment is successful.
OneDrive deployment can be as simple as a local installation and may not require all the steps in this section. For example, the “Determine devices” and “Align technologies” sections may not be applicable to small business interested in performing a simple installation of OneDrive.
Your organization doesn’t have to manage all connected devices for them to use OneDrive, but securing and managing the interaction with the data do require a layer of management capabilities. Start by determining which types of devices—iOS, Android, Windows 10—require access to OneDrive and who owns them (the business or the employee). Put this information in a spreadsheet to help you determine which capabilities you need from your technology solutions. Some management options are more suitable for devices that the company owns and manages. Regardless of the platform running OneDrive and who owns it, the following management options are available to you:
OneDrive admin center
Office 365 MDM
Intune MDM or MAM
For Windows 10 client devices that are joined to a domain, you have the additional option of using GPOs for management. Also, for those devices that are company owned and managed, you can use System Center Configuration Manager to deploy OneDrive.
When you've identified the devices that require access to OneDrive, you then identify the technology options available to you or that align with your organization’s size. If you’re considering implementing a new deployment and management solution, the table in How organizations deploy and manage OneDrive lists the technologies that make the most sense based on organization size. Using this information, you can align the technologies you need or already have with the deployment and management capabilities that fit the devices you need to manage.
Deploy, secure, and manage OneDrive
You deploy, manage, and secure OneDrive based on the tools you chose in the previous steps. Each technology has different deployment, update, and management options, so when deploying OneDrive, you must first consider whether you need to upgrade existing client machines. Also, securing OneDrive may include both client-side and cloud service–side configuration. Finally, be sure to consider data compliance requirements, such as dedicated storage regions.
Because OneDrive provides access to files on many kinds of devices, it restricts the use of certain characters, file names, and folder names. In addition, certain features are available only in the Windows operating system. For a full list of these and other limitations of OneDrive, see Invalid file names and file types in OneDrive, OneDrive for Business, and SharePoint.
Feature releases and requests
If you want to see the functionality currently under development for OneDrive and Office 365, check out the Office 365 Roadmap or the Microsoft OneDrive Blog. Finally, if you want to request new functionality or vote on great community ideas for OneDrive, visit OneDrive UserVoice.
Keys to successful user adoption
User adoption is important to the overall success of any new application. Ideally, to feel that you have maximized your investment in Office 365 and OneDrive, you need to maximize user engagement with them. To do that, start by focusing on three critical success factors:
Stakeholders. Securing the participation and buy-in of key people within your organization is critical to successful user adoption. This support can come from business-focused leaders, IT leadership, or anyone else who has a vested interest in seeing OneDrive and Office 365 succeed in the organization. It is important to have both executive or business leader support and product champions to help carry the knowledge to their peers. Whether you’re formally delegating the product champion role or allowing it to grow organically, champions are mission critical to user adoption. In fact, a SharePoint user study in 2013 showed that people prefer to learn from a coworker than from an IT employee. For more information about how to identify key stakeholders for your OneDrive and Office 365 implementation, see the Identify key stakeholders guide. For more information about building a sustainable champion community, see Build a champion program.
Scenarios. When planning to implement OneDrive and Office 365, identify and define your business scenarios and how those scenarios align with the benefits of implementing OneDrive and Office 365. Work with your key stakeholders to identify the goals of the business scenarios, and then match those goals against usage scenarios. For example, a business goal may be to maximize user productivity; a key usage scenario enabling that goal would be using OneDrive to access files from mobile devices, PCs, and Macs. For help with this process, see the Office 365 Productivity Library.
Awareness and training. Creating awareness through awareness campaigns such as announcements, launch events, newsletters, town hall meetings, contests, and giveaways is a critical path to maximizing adoption. In addition, providing users with knowledge through classroom-style sessions and self-help guides helps them feel empowered to use OneDrive and Office 365. For more information about user communication and training on Office 365, see the Plan your Office 365 Launch: Communication and Training Guide.
Many resources are available from Microsoft to help you drive user adoption within your environment. For more information about a recommended Microsoft 365 user adoption strategy, see the Microsoft 365 End User Adoption Guide. For more information about driving user engagement, see Success Factors for Office 365 End User Engagement. You can also contribute to or comment on adoption-related ideas in the Driving Adoption Tech Community.
Preparing your environment
Before you deploy OneDrive, prepare your environment.
A variety of factors can impact the amount of network bandwidth used by OneDrive. For the best experience, we recommend that you assess this impact before doing a full OneDrive deployment across your organization. The article Network utilization planning for the OneDrive sync client includes the recommended process for determining your network bandwidth needs for OneDrive. Be sure to include this as part of your deployment plan.
If you have data residency requirements, consider OneDrive Multi-Geo. With OneDrive Multi-Geo, you can specify a preferred data location (PDL), from available locations around the world, for each user’s OneDrive. For detailed information about OneDrive Multi-Geo, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
If you plan to deploy OneDrive Multi-Geo, there are two user scenarios:
Users who start using OneDrive before you configure OneDrive Multi-Geo – their OneDrive will be located in the central location once you configure OneDrive Multi-Geo. If you need to move a user's OneDrive to a different geo location, follow the steps in Move a OneDrive site to a different geo-location to the.
Users who start using OneDrive after you configure OneDrive Multi-Geo – you can configure their preferred data location as part of your general user onboarding process and their OneDrive will be created in the appropriate geo location.
Features such as file sync and mobile device management work normally in a multi-geo environment. There’s no special configuration or management needed. The multi-geo experience for your users has minimal difference from a single-geo configuration. See User experience in a multi-geo environment for details.
If you plan to configure OneDrive Multi-Geo prior to deploying OneDrive for your users, read Plan for OneDrive for Business Multi-Geo and follow the steps in OneDrive for Business Multi-Geo tenant configuration.
Do you plan to use OneDrive Multi-Geo?
Will you have OneDrive Multi-Geo fully configured before your users start using OneDrive?
If you currently use OneDrive or MySites in SharePoint Server on-premises, we highly recommend deploying hybrid OneDrive. With hybrid OneDrive, users are redirected from their on-premises OneDrive to OneDrive in Office 365. Hybrid OneDrive allows for seamless navigation to OneDrive in the cloud from both SharePoint on-premises and Office 365.
When you deploy hybrid OneDrive, the OneDrive links in the SharePoint Server ribbon and app launcher will point to OneDrive in Office 365. If your users have files in on-premises OneDrive, they may have trouble accessing them unless they’ve bookmarked the old URL. It’s important to have a migration plan for these files before you deploy hybrid OneDrive. See Migrating data later in this article for migration options.
If you don’t use OneDrive in SharePoint Server, but you do have an on-premises SharePoint environment, you may still want to consider deploying hybrid OneDrive. Doing so will update the OneDrive navigation links in SharePoint Server to point to OneDrive in Office 365 – again, giving your users seamless navigation to OneDrive in the cloud from either location.
For more information about how to configure OneDrive in a hybrid scenario and how it works, see Plan hybrid OneDrive for Business.
SharePoint hybrid has a variety of features to create a seamless experience when using both SharePoint Server and SharePoint Online. If you’re planning to configure hybrid OneDrive, consider including other SharePoint hybrid features for a better overall user experience. See Explore SharePoint Server hybrid for more information.
Once you’ve migrated your users’ files from on-premises OneDrive and configured hybrid OneDrive, you can reduce the quota for your on-premises OneDrive top-level site collection to a minimal value to save disk space.
Do you want to deploy hybrid OneDrive?
Do your users have OneDrive on-premises data that needs to be migrated to OneDrive in Office 365?
OneDrive shares can contain sensitive information that could damage your organization if it were shared with the wrong people. This section provides information about how to help prevent accidental data leakage and protect your data by controlling who can access it.
Information rights management–protected file synchronization
If you’re using information rights management (IRM), OneDrive can synchronize those file libraries and provide a seamless experience for users. For detailed information about how OneDrive handles IRM, see How Office applications and services support Azure Rights Management. For OneDrive to synchronize these IRM-protected libraries, however, additional configuration is required, including deploying the latest Rights Management Services (RMS) client to your users’ computers. For details about the additional configuration required for OneDrive to support IRM libraries, see SharePoint Online and OneDrive for Business: IRM Configuration.
Windows Information Protection
You can use Windows Information Protection (WIP) to help prevent data leakage by deploying application or device policies that restrict how your employees can store, access, and use your organization's data. For example, you can restrict users to synchronizing files that contain company data only to OneDrive and not to personal cloud storage providers like Dropbox. For information about how to use WIP, see Protect your enterprise data using Windows Information Protection (WIP).
If you’ve decided to use Windows Information Protection with OneDrive, see the following resources to set up your Windows Information Protection policies:
Azure Information Protection
Azure Information Protection is a cloud-based solution that helps organizations classify, label, and protect their documents and emails. This classification can occur automatically when administrators define rules and conditions; manually by users; or both, where users receive recommendations. Users can synchronize Azure Information Protection–protected files to OneDrive after you have configured their accounts to do so.
For more information about Azure Information Protection, see What is Azure Information Protection? You can add Azure Information Protection to your Office 365 subscription on the Subscriptions page of the Microsoft 365 admin center.
If you have decided to use Azure Information Protection, see Office 365: Configuration for clients and online services to use the Azure Rights Management service to configure the necessary settings for it to work with OneDrive.
OneDrive integration with other Office 365 features
OneDrive integrates with many other applications, such as SharePoint, Teams, and Yammer. With that integration comes the necessity to protect the data stored in OneDrive. When considering security, for example, think about potential leakage scenarios through each integrated application and apply WIP, IRM, Azure Information Protection, or another protection option to help prevent unauthorized access. For information about how these products integrate with each other to provide a better collaboration solution and how they can introduce additional vectors for data leakage, see How SharePoint Online and OneDrive for Business interact with Microsoft Teams.
Using the OneDrive admin center, you can specify sharing options such as the default sharing type for users, with whom they can share, and how long sharing links remain active.
These are the key decisions around sharing for OneDrive:
Do you want to allow external sharing? If you enable external sharing for OneDrive, your users will be able to share files and folders with people outside your organization.
If you allow external sharing, do you want to allow unauthenticated users? If you enable sharing with Anyone, users can create sharable links that don’t require sign-in.
What do you want the default sharing link to be? Users can choose which type of link to send (Anyone, Internal, or Direct), but you can choose the default option that is presented to users.
Do you want to restrict external sharing by domain? You can restrict external sharing to specific domains or prevent sharing with specific domains.
Note that the OneDrive sharing settings are a subset of the SharePoint Online sharing settings. If you want to allow external sharing in OneDrive, it must be enabled for SharePoint Online.
When a user leaves your organization and you’ve deleted that user’s account, what happens to his or her data? When considering data retention compliance, determine what needs to happen with the deleted user’s data. For some organizations, retaining deleted user data could be important continuity and preventing critical data loss. The default retention policy for deleted OneDrive users is 30 days. You can configure the setting to a range between 0 days and 3,650 days (ten years).
- What data retention time do you need for your organization?
A key task in deploying OneDrive for your organization is a plan to migrate your users existing files to OneDrive. Depending on where these files are kept, there are several options, discussed below. You can choose one or more of these options depending on the number and location of files that you need to migrate.
Another planning consideration is who will be migrating the data. Normally, a user’s OneDrive is created the first time they access OneDrive. If you will be migrating your users’ files on their behalf before they begin using OneDrive, you may need to pre-provision OneDrive for each of them. (This can be done with a PowerShell script.)
Keep in mind that any of the migration options listed below may result in a surge of network activity as large numbers of files are migrated to OneDrive.
Which of the following migration methods do you want to use?
Are you configuring hybrid OneDrive? (See the hybrid section of this article for the considerations around this option.)
Do you need to pre-provision OneDrive for your users? (Are you migrating files before users have started using OneDrive?)
Files in on-premises OneDrive or MySites libraries
If users' existing files are in on-premises SharePoint, OneDrive, or MySites, you can use the SharePoint Migration Tool to migrate the files to Office 365.
For detailed information about the SharePoint Migration Tool, see How the SharePoint Migration Tool works.
The SharePoint Migration Tool can be used by your IT department to migrate files on their behalf. This is the recommended method of migration for files in an on-premises SharePoint farm.
Files on users' local disk in known folders
If user files are located in Windows known folders such as their desktop, Documents, or Pictures, you can use Known Folder Move. Known Folder Move enables users to select known folders to automatically synchronize to OneDrive. You can add this feature during the initial setup of OneDrive or after it has been configured. This capability provides a simple migration option for users looking to add known folders to their existing list of synchronized folders.
Known Folder Move can be configured by administrators to automatically redirect known folders for all users on the domain. It's an easy way to migrate files kept in these locations.
Files in other local disk folders
If users have their additional work files in various locations on their computers, it's often easiest for them to manually move the files to OneDrive. After you deploy the OneDrive sync client to your users' computers, you can instruct them to move their work files to the OneDrive folder on their computer.
Migrating with FastTrack
FastTrack is a Microsoft benefit that is included in your subscription. FastTrack provides you with a set of best practices, tools, resources, and experts committed to making your experience with the Microsoft Cloud a great one! Guidance around OneDrive onboarding, migration, and adoption are included in the benefit offering. This guidance includes: help to discover what’s possible, creating a plan for success, and onboarding new users, providing guidance on migrating content from file share, Box, or Google Drive source environments, and introducing capabilities at a flexible pace, your pace! FastTrack guidance provides enablement of both OneDrive for Business and getting the source environment ready for your transition. In addition, the FastTrack data migration benefit will also perform specific data migration activities on behalf of you, the customer, for those with 500 or more licenses. See more details in the provided FastTrack Center Benefit Overview. Interested in getting started? Visit FastTrack.Microsoft.Com, review resources, and submit a Request for Assistance.
Even though you can upload, download, and interact with your OneDrive files from a web browser, the ideal OneDrive experience comes from the Windows and Mac sync clients and the iOS and Android mobile apps. OneDrive is available for most operating systems and browsers and requires minimal hardware. For a full list of client and app requirements for using OneDrive, see OneDrive system requirements.
If you already have the OneDrive client installed on Windows devices, start by determining the version or versions of OneDrive in your environment. Depending on your findings, you may need to change your deployment process to accommodate the current version (for example, run takeover commands in PowerShell to ensure that data sync responsibilities transition to the new client). To determine which version of OneDrive you’re currently using, see Which version of OneDrive am I using?
Upgrade from the Groove sync client to the OneDrive sync client
If you currently have the old OneDrive sync client (Groove.exe), then you’ll need to follow a slightly different process to upgrade to the new sync client. If you had more than 250 licensed users before June 2016, you may need to run a takeover command to continue syncing existing libraries using the new client. For detailed information about this process (and caveats), see Transition from the previous OneDrive for business sync client.
Sync client update process
You can update the OneDrive sync client in two waves:
Production ring – in this ring, you get new features and improvements sooner – as soon as they’ve been validated within Microsoft.
Enterprise ring – in this ring, changes are rolled out after they’ve been validated in the Production ring, reducing the risk of issues.
This setting is configured by using group policy.
For details about the update process for the OneDrive sync client, see The OneDrive sync client update process.
To find out about new features available in current OneDrive updates as well as the current and historical version numbers, see New OneDrive sync client release notes.
- Which ring do you want to use for updates to the OneDrive sync client?
After you have planned your rollout, configure any settings you need before you begin deploying apps to your users:
Specify settings for sharing links and control external sharing: Manage sharing
To manage the sync client deployment centrally, prevent users from installing the sync client when they go to their OneDrive in a web browser: Prevent installation
To make sure that users sync OneDrive files only on managed computers, configure OneDrive to sync only on PCs that are joined to specific domains: Allow syncing only on specific domains
To prevent users from uploading specific file types, such as exe or mp3 files: Block file types
Set the default storage space for your users: Set the default storage space
Specify how long you want to retain a user's OneDrive files when the user is deleted: Set OneDrive retention for deleted users
To prevent users from accessing OneDrive and SharePoint content on devices outside of specific domains, or from apps that don't use modern authentication: Control access based on network authentication or app
To control user access to features in the OneDrive and SharePoint mobile apps: Control access to mobile app features
You have several different options for deploying OneDrive: manually, using scripting, using Windows AutoPilot (for the sync client on Windows), using an MDM such as Intune, or using SCCM.
The OneDrive sync client is included as part of Windows 10 and Office 2016. You do not need to deploy the sync client to devices running these, though you may need to update the sync client to the latest version.
Install OneDrive apps and sync clients manually
Although not particularly scalable, you always have the option of installing OneDrive manually on a device. For some devices, this process may be as simple as installing an app. For others, you may need to delete older versions of OneDrive first. This section walks you through the manual installation and configuration of OneDrive on iOS and Android mobile devices, Windows devices, and computers running macOS.
Manually install and configure OneDrive on a mobile device
Installing the OneDrive app on a mobile device is simple: users can download the app from the app store on any Android, iOS, or Windows mobile device. To simplify the manual installation process even further, users can go to https://onedrive.live.com/about/download and enter the mobile phone number of their device. Microsoft will send a text message to the mobile device with a link to the app in the device’s app store. Once installed, users can start the configuration process by opening the app and responding to the prompts.
Send your users the following links to set up OneDrive on their mobile devices:
Manually install and configure OneDrive on a Windows device
Manually installing OneDrive on a Windows device may or may not be necessary: many devices may already have it, either because the user installed Microsoft Office 2016 or simply because the device runs Windows 10, both of which include the OneDrive client by default. For devices running older versions of Windows or on which Office 2016 is not installed, you can download the new OneDrive sync client for Windows from https://onedrive.live.com/about/download.
You may be required to uninstall an old version of the OneDrive sync client before you can install the new one. If so, you will receive a notification stating that you must uninstall the previous version before you can proceed.
To manually configure OneDrive on a Windows device, see Sync files with the OneDrive sync client in Windows.
Manually install and configure OneDrive on a macOS device
For information about installing the OneDrive app on a computer running macOS or adding a work account to an existing installation, see Sync files with the OneDrive sync client on Mac OS X.
Install OneDrive on Windows devices by using scripting methods
To silently install the OneDrive sync client on an individual computer, run the following command:
To silently update the OneDrive sync client, run the following command:
For information about enabling silent account configuration, see Silently configure user accounts.
Deploy and configure OneDrive through Windows AutoPilot
Windows AutoPilot provides a simple way to deliver PCs to users. It is an alternative to the traditional system imaging you typically perform when provisioning a new computer or repurposing an existing computer for a user. Rather than using deployment tools such as System Center Configuration Manager, you can register your hardware information in Azure and use a deployment profile to control the out-of-box experience and register the device in Azure Active Directory (Azure AD).
From there, Intune can deploy apps such as OneDrive to the device automatically. To deliver OneDrive during this process, complete the configuration steps in Deploy OneDrive by using Intune.
For an overview of Windows AutoPilot, see Overview of Windows AutoPilot.
Deploy OneDrive by using Intune
To deploy the OneDrive sync client to Windows 10 or the mobile apps to Android or iOS, follow the steps in Deploy OneDrive apps by using Intune, or take a look at the following video.
Deploy OneDrive by using System Center Configuration Manager
To deploy the OneDrive sync client to Windows or the mobile apps to Android or iOS by using System Center Configuration Manager, see Deploy OneDrive apps by using SCCM.
Before you can deploy applications to computers running macOS, you need to complete some prerequisite tasks on the System Center Configuration Manager site. For detailed information about these prerequisites and how to prepare a System Center Configuration Manager environment for Mac management, see Prepare to deploy client software to Macs. When you’ve completed the prerequisites, you can deploy applications to Macs by completing the steps described in How to Create and Deploy Applications for Mac Computers in Configuration Manager. For information about configuring the OneDrive sync client for macOS, see Deploy and configure the new OneDrive sync client for Mac.
The tools and technologies you use to manage OneDrive are based on the individual management task you want to perform. The following table shows the three primary categories to consider when managing OneDrive and the technologies and methods available for that category.
|Category||Tasks||Technology or method|
|OneDrive organization-wide settings||Manage settings such as storage limits and sharing capabilities.||OneDrive admin center
|App updates||Update the OneDrive sync client or mobile apps||MDM (for example, Intune)
System Center Configuration Manager
OneDrive admin center
|Sync client settings||Configure the sync client update ring, DLP policies, and other device or app restrictions.||MDM (for example, Intune)
System Center Configuration Manager
Manage OneDrive by using the OneDrive admin center
The OneDrive admin center https://admin.onedrive.com in Office 365 enables you to manage OneDrive settings and device access from one central location. Some settings in the OneDrive admin center you’ll use regardless of any other technologies you use to manage OneDrive (for example, to configure storage space settings). Others may overlap management apps in use (for example, the MDM section). Most organizations will use the OneDrive admin center for some of their settings, but only those organizations without an MDM application would likely use the device access functionality in the OneDrive admin center.
For more info about the admin center, see OneDrive for Business for admins
Settings in the OneDrive admin center are grouped into six categories:
Sharing - On the Sharing tab, you can configure the default sharing link users send out to colleagues to share a file as well as external sharing settings. These settings are organization-wide and applicable to all organizations, regardless of the device management tool in use. Use this page to configure the sharing option based on the sharing decisions you made in Part 2, Plan for OneDrive for enterprises.
Sync - On the Sync tab, you can configure sync restrictions based on file types, require that synced devices be domain joined, or restrict synchronization from computers running macOS. Depending on your device management tool, the PC device restrictions in this section may overlap other management settings.
Storage - On the Storage tab, you specify the default OneDrive storage limit for users within your Office 365 organization. You can also configure data retention settings for users whose accounts have been deleted (the maximum value is 10 years). These organization-wide configuration settings are applicable to all organizations, regardless of the device management tool they use. Use this page to configure the data retention value based on the decisions you made in Part 2, Plan for OneDrive for enterprises.
Device Access - On the Device Access tab, you can restrict device access to OneDrive based on network location and apps that don’t use modern authentication among other application management options. Depending on your device management tool, the restrictions configurable on this tab may overlap with other management settings. If a conflict occurs with an Intune policy, for example, the Intune policy will take precedence for the users that policy targets.
Compliance - The Compliance tab provides a centralized list of links to auditing, DLP, retention, eDiscovery, and alerting capabilities within Office 365 that are applicable to OneDrive. Selecting an item’s link redirects you to the Office 365 Security & Compliance Center, where you can configure that item. You can create DLP policies from templates that protect certain types of data, such as Social Security numbers, banking information, and other financial and medical content. Some capabilities won’t be available if you’re using Intune (for example, device management). For a walkthrough of how to create DLP policies in Office 365 and apply them to OneDrive, see Create a DLP policy from a template.
Notifications - On the Notifications tab, you define when OneDrive owners should receive notifications about sharing or accessing their data. For information about enabling these options, see Turn on external sharing notifications for OneDrive.
Manage OneDrive settings by using Intune
Unlike Windows, OneDrive doesn’t have a configuration service provider. Therefore, to use Intune to configure OneDrive settings, you must deploy the setting’s corresponding registry key and value by using a PowerShell cmdlet. Read Use Group Policy to control OneDrive sync client settings for a list of settings and their corresponding registry values; then, construct a PowerShell script using the following cmdlet syntax:
New-ItemProperty -Path \$Path -Name \$Name -Value \$Value -PropertyType DWORD -Force | Out-Null
where $Path is the full path to the subkey to which you want to add a value to (for example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive), $Name is the name of the value you’re adding (for example, AutomaticUploadBandwidthPercentage), $Value is the data within the new value (for example, 32), and the value following the PropertyType switch is the type of value you’re adding.
Save the PowerShell script as a .ps1 file. Then, see Manage PowerShell scripts in Intune for Windows 10 devices for instructions on how to deploy the PowerShell script in your environment.
Manage OneDrive updates by using Intune
OneDrive is updated through Windows Update in two waves. Out of the box, OneDrive sync clients are in the first wave, which means that they receive updates as soon as they’re published. The second wave receives those same updates several weeks later. To configure Windows devices to be in the second wave, you must configure the EnableEnterpriseUpdate entry by using the following command:
New-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\OneDrive' -Name 'EnableEnterpriseUpdate' -Value '1' -PropertyType DWORD -Force | Out-Null
Save the script as a .ps1 file. Then, see Manage PowerShell scripts in Intune for Windows 10 devices for instructions on how to deploy the PowerShell script in your environment.
Manage OneDrive by using third-party MDM tools
Intune isn’t the only MDM option you can use to manage OneDrive apps and settings. For information about managing OneDrive for Windows 10 by using VMware AirWatch, see Modern Management for Windows 10. For information about managing OneDrive for Windows 10 by using MobileIron, see Windows 10 in the Enterprise.
Manage OneDrive by using Group Policy
You can use Group Policy to manage OneDrive settings for domain-joined machines in your environment. For information, see Use Group Policy to control OneDrive sync client settings. Using Group Policy, you can redirect and move Windows known folders to OneDrive, enable silent account configuration, configure the maximum size that will be downloaded automatically, and much more.
Manage OneDrive by using System Center Configuration Manager
Because Windows devices that you use System Center Configuration Manager to manage are either domain joined (and therefore managed in Active Directory) or administered through Intune, the role of System Center Configuration Manager in managing OneDrive settings is limited. When using System Center Configuration Manager to manage OneDrive, Microsoft recommends using either Group Policy or Intune, depending on whether the device is domain joined.
System Center Configuration Manager can manage OneDrive updates and configuration alongside other updates in your environment, such as for Windows and Office applications.
Manage OneDrive updates by using System Center Configuration Manager
Depending on where the OneDrive client originated—as part of an Office package, Windows 10, or as a stand-alone installation—there are two primary methods for using System Center Configuration Manager to manage OneDrive updates:
Traditional updates managed through Windows Service Update Services (WSUS). OneDrive product updates are downloaded to WSUS, and you can manage them alongside your Windows and Office updates. For information about how to configure System Center Configuration Manager with WSUS, see Install and configure a software update point.
Single-instance updates. If you want to perform an ad hoc update of the OneDrive sync client on a Windows device, start by downloading the updated OneDrive sync client from OneDrive for Windows. This method is typically applicable only for older installations of Office running on devices with a Windows version earlier than Windows 10 that are not updating OneDrive as part of their other updates.
Once downloaded, you can create a script in System Center Configuration Manager by following the process in Create and run PowerShell scripts from the Configuration Manager Console or by using a traditional script-based application such as that in Create applications with System Center Configuration Manager. When using either option, the command to update the OneDrive client using the installer is:
> Execute \<pathToExecutable\>\\OneDriveSetup.exe /update /restart