Enable conditional access support in the OneDrive sync client for Windows

Conditional access control capabilities in Azure Active Directory offer simple ways for you to secure resources in the cloud. The new OneDrive sync client works with the conditional access control policies to ensure syncing is only done with compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune).

For information about how conditional access works, see:

Getting started

Use the following steps on each computer.

To enable conditional access support on the OneDrive sync client

  1. Download and install the OneDrive sync client.

  2. Download and open EnableCAPreview.reg to enable the conditional access feature.

  3. Restart the sync client.

If you want to disable this feature, you can delete the registry key by running DisableCAPreview.reg. You need to restart the sync client for the change to take effect.

Known issues

The following are known issues with this release:

  • If you create a new access policy after the device has authenticated, it may take up to twenty-four hours for the policy to take effect.

  • Conditional access for macOS is in preview.

  • This release will not automatically take over sync from the previous OneDrive for Business sync client (Groove.exe). If you are already syncing with Groove.exe, it will continue to sync after you set up the OneDrive sync client. (We are working on a fix for this issue.) For instructions, see Transition from the previous OneDrive for Business sync client.

  • In some cases, the user may be prompted for credentials twice. We are working on a fix for this issue.

  • Certain ADFS configurations may require additional setup to work with this release. Please run the following command on your ADFS server to ensure FormsAuthentication is added to the list of PrimaryIntranetAuthenticationProvider:

    Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication')

  • If you enable location-based conditional access, users will need to sign in immediately when they leave the set of approved IP address ranges. While outside of the set of approved IP address ranges, they will need to sign in again every time their access expires (every 90 minutes by default).

Reporting problems

Please let us know if you run into any problems while using this release.

To report a problem

  1. Right-click the white or blue OneDrive cloud icon in the Windows taskbar notification area.

  2. Click Report a problem.

  3. Type a brief description of your issue, and then click OK. You will receive an email notification with a support ticket number to track your issue.

See also

Deploy the new OneDrive sync client

Sync files with the new OneDrive sync client in Windows