Blocking OneDrive Access for Microsoft 365 Users

Yunus Emre Araç
5 min readJul 13, 2023

Reference: https://www.yunusemrearac.com/2023/07/13/microsoft-365-kullanicilari-icin-onedrive-erisimini-engelleme/

Hello friends, today I will tell you how to block OneDrive access for your users in Microsoft 365 environment.

As you know, as cloud environments have increased, companies’ need for strict controls and control over data security and file sharing has also increased. In companies using SharePoint online, M365 users are automatically given OnDrive Business access, and it comes with features such as uploading and sharing files directly here.

If you have intranet and sites on SharePoint online, but you do not want to have OneDrive access for all users, you can block access by following the steps below.

For this, we will first need to create a security group in the M365 environment, and we will need to set it to block OneDrive access for all users outside of this group when authorizing.

We go to your Microsoft 365 admin center site at https://admin.microsoft.com/Adminportal.

Here, we click on the “Active teams & groups” submenu title under the “Teams & groups” main menu on the left menu.

On this screen, your existing active groups will be listed. You can filter from the menu above. Since we are going to create a new group, we go to the new group creation screen by clicking the “Add a group” button.

On the screen that opens, the first step asks us to choose a type for the group to be established. Since the group I will set up here should be the security group, I select the “Security” option in the options and go to the next stage by clicking the “Next” button.

In the next step, it requests name and description information for the created group. No description but name is required. I name it “OneDriveAccessUsers” in order to be suitable for its intended use and continue with the “Next” button.

In our last setting section, there will be a setting option for this group to be able to define authorization and role in Azure AD. I marked it because I want this to happen too, and I go to the last step with the “Next” button.

In the last part comes a section to review the adjustments made. If your assignments are correct, we complete the group creation process with the “Create group” button at the bottom.

After completing all the processes without any problems, you will see a screen like the one above, with the information that your group has been successfully created and will be available within 5 minutes.

When we come to the “Security” tab on the first screen, the group or groups we created there will appear.

After this group creation and definition process is completed, we go to the SharePoint admin center address by clicking on the “SharePoint” title under “Admin centers” on the left menu in “Microsoft 365 admin center”.

We click on the “Access control” sub-title under the “Policies” main title on the left menu in the SharePoint admin center and go to this page.

Here we select the “Restrict OneDrive access” from the access control options and this setting section opens as a right popup.

On the popup screen that opens, we click on the “Restrict OneDrive access to only users in specific security groups” checkbox and activate this feature.

Only up to 10 security groups can be selected in this section. In the search section, we write the name of the security group that we have just created, find it and add it to the list. Here, if no other group will be added, we save our process with the “Save” button at the bottom.

While you are recording, a popup like the one above will appear and a reminder statement will appear about this adjustment and it will take some time to reflect on this adjustment. We finish the setting process by clicking “OK”.

After these settings work and all users are reflected, if any user tries to access OneDrive via the link or from the menu above on the SharePoint ribbon, they will receive an authorization error.

As you can see above, unauthorized users will encounter an unauthorized login screen when they try to go.

You can control this authorization by adding as members to the group for the users you want to grant access to, or by removing the users who have access from the group.

--

--

Yunus Emre Araç

Technology Product Manager of Corporate Applications at ING | Old Microsoft Student Partners Lead | İnönü Üniv. Bilg. Müh. | İAU Bilg. Müh. Tezli Yüksek Lisans