When performing Office 365 migrations for clients, the topic of disabling OneDrive for Business and/or SharePoint Online often comes up. The reasons for someone wanting to do this vary but are usually of the variety of needing more control over what the users are saving to OneDrive and SharePoint.
Note: There are times when it is only desirable to disable the sharing of confidential information with people outside of the organization and not completely disable the use of OneDrive for Business and SharePoint Online. For this we are better off using Office 365 Data Loss Prevention now that Microsoft has added the ability to block sharing content via OneDrive for Business and SharePoint Online. Another great blog post on this subject can be found here.
Option 1 – Hide OneDrive for Business from the Office 365 Online Apps Launcher
It is simple to hide the OneDrive for Business Application from the Office 365 Online Apps Launcher by changing the app visibility setting from the SharePoint online administration site. It is important to note – if users know the OneDrive for Business Site URL (ie. https://tenantname-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments), they can still access their OneDrive for Business site, even after performing these steps. It is also important to note, this step will only disable OneDrive for Business and SharePoint Online use via Online/Web applications; it does not disabled the ability to save documents to OneDrive for Business or SharePoint via Office 365 ProPlus and Office 2016 applications installed on the users workstations, nor does it disable the ability for the OneDrive for Business Sync Client installed on users workstations, from syncing files to OneDrive for Business.
Let’s get started…
This is what the Office 365 Online Apps Launcher looks like before hiding OneDrive for Business
We can hide the OneDrive for Business App from the Office 365 Online Apps Launcher by selecting Hide next to OneDrive for Business from SharePoint Admin Center > Settings.
This is what the Office 365 Online Apps Launcher looks like after hiding OneDrive for Business. You will notice the Office Online Applications such as Word Online and Excel Online are also hidden, which disables the ability to create new Office files via the Office Online Applications.
Option 2 – Disable OneDrive for Business in the Office 365 tenant
We can control OneDrive for Business access from the initial tenant deployment stage. This also allows us to control OneDrive for Business access via group membership. It is important to note – this will not have any effect on users who are currently already using OneDrive for Business. Scroll down to Option 3 for a fix to this scenario.
OneDrive for Business uses SharePoint Online as backend. In SharePoint Online, the Personal Site creation is enabled for all users via the group Everyone except external users. This option gives users the ability to create the OneDrive for Business document library and if disabled, will disable OneDrive for Business access for those users.
You can access these permissions via the following path: SharePoint Admin Center > User Profiles > Manage User Permissions
If we uncheck the Create Personal Site permission, users will not be able to create their MySite or OneDrive in the first place. To fix this, instead of using the default Everyone except external users group, create separate groups and assign them permissions directly. In the example we created a Security Group ODB Users in Office 365 admin center and assign them Create Personal Site permission in User profiles. After following the steps described in the screenshots, you will be able to control which users have the ability to initiate their OneDrive for Business creations via the Group ODB Users. This effectively disables OneDrive for Business for new users not in the ODB Users group. Remember, users who have used OneDrive for Business before these modifications will already have initiated their document library in SharePoint and these changes will not have any effect on them. To deal with this scenario, we need to modify the permissions for each user folder that already exists, which is what we will discuss in Option 3 below.
Option 3 – Remove permission to the users SharePoint Personal Site
Now we will look at our last option. This will normally apply only when existing users are currently using OneDrive for Business but we need to disable their OneDrive for Business access and still continue to have SharePoint Online access.
As previously discussed, since the user already has used OneDrive, removing the above personal site access won’t do anything and the user would still have access to OneDrive for Business if they try to accesses it.
First we need to change the site collection administrator of the personal site of the specific user from SharePoint Admin Center > User Profiles > Manage User Profiles. Search for the user and click on the dropdown menu next to it to get to the below options, then select “Manage site collection owners”.
Now replace the account in the fields below with the one for the new Site Collection admin for the Personal site of the user. This way you will be able to give the users their OneDrive access back at a later stage if necessary.
PowerShell
If you prefer to use PowerShell, the below script will accomplish the same thing and is a good option when needing to modify multiple users.
# List out all the sites in your tenant including the personal sites or OneDrive
Get-SPOSite -IncludePersonalSite $true | select url, Owner | Export-Csv -Path “C:\Temp\SPOSites.csv” -Delimiter “,”# Change the site collection administrator for the OneDrive sites. You will need to create a CSV file with url and Owner columns (sample below). Owner would be the account name of the new owner.
Import-CSV C:\Temp\ChangeODBAdmin.csv | foreach-object { Set-SPOSite -Identity $_.Url -Owner $_.Owner}
Results of Options 2 and/or 3 Changes
When the users try to access their OneDrive after the owner change, they will get an access denied message. It may not be pretty but it accomplishes the goal. Also, the OneDrive sync client will stop syncing new files. The user will still have access to the files already synced to their devices. If they attempt to sync again they will get the below message in OneDrive Client after the login prompt.
Things worth noting
- It is recommended to delete the personal site using PowerShell command Remove-SPOSite however, if choosing to delete the site, ensure it is deleted prior to disabling the access using the above steps. This ensures that the PersonalSiteInstantiationState profile property of the user is updated which would help with smother personal site creation if re-enabled in the future, and will also ensure no impact on any dependent features. This is important because the personal site contains granular permissions which will not be removed by simply changing the Site Collection Administrator.
To delete the personal site, use the following PowerShell script:
Connect-SPOService -Url https://contoso-admin.sharepoint.com
Remove-SPOSite -Identity https://contoso-my.sharepoint.com/personal/j_doe_contoso_com
- If your users have created subsites or other lists/libraries with unique permissions under the personal site, they will continue to have access to it. The user is by default added to the site with Full Control and the default group Everyone except external users, has read access on the personal site.
Block OneDrive use from within Office 365 ProPlus and Office 2016 applications
If you only need to control access to OneDrive for Business from Domain Joined workstations with Office Applications installed, this can be accomplished using a Group Policy. Click here for detailed instructions.