Control provisioning of OneDrive
OneDrive for a user is created when they click on OneDrive tile or access the service first time. Their ability to create OneDrive site is governed by the create personal site permission in SharePoint Online. By default, the permission is assigned to all users.
If your Organization is looking for a phased rollout then you can create specific user groups and assign the create personal site permission to them.
Enable Sync client restrictions
SharePoint Online administrator can use PowerShell cmdlets to enable the OneDrive for Business sync client from only the domains present in the safe recipients list. After that, if the version of sync client on a user’s PC is earlier than 15.0.4693.1000, sync client is considered outdated and user will not be able to sync documents.
Configure restricted Domain sharing
At a tenant level, administrators can configure external sharing by using either the Allow List or Deny List feature. Administrators can limit sharing invitations to a limited number of email domains by listing them in the Allow List or opt to use the Deny List, listing email domains to which users are prohibited to extend invitations.
Additional parameters have been added to the PowerShell, to allow configuration of restricted domains using PowerShell.
All external sharing invitation emails will blind copied to set mailboxes using available parameters.
Discourage Org-wide sharing
To discourage users from sharing files from their OneDrive with everyone in the Organization, hide “Everyone”, “All Users” and “Everyone except External Users” groups in the people picker.
Restrict Sync based on file types
When required, block syncing of certain file types using the new sync client. For e.g. sync of .pst and .mp4 can be blocked as all emails should be in EXO mailbox and videos should be in O365 Videos service or, just to conserve bandwidth consumption.
Monitor User activities
Office 365 Audit log search and Management Activity APIs enable monitoring of user activities on OneDrive and also integrate them with existing SIEM tool in your Organization. Refer to the Audit log search section later in this document.
Configure usage or anomaly based alerts
Office 365 Advanced Security Management enables you to set up anomaly detection policies, so you can be alerted to potential breaches of your network. For example, you can be alerted to impossible travel scenarios, such as if a user signs in to the service to check their mail from New York and then two minutes later is downloading a document from OneDrive in Tokyo.
Advanced Security Management also lets you set up that can track specific activities. With out-of-the-box templates like Mass download by a single user, IT can easily create policies that flag when someone is downloading an unusually large amount of data. Alerts can also be for multiple failed sign-in attempts or signs in from a risky IP address.
Configure Mobile App Management (MAM) for mobiles
Intune MAM, part of Enterprise Mobility + Security (EMS) suite, provides ability to manage OneDrive mobile app and disable user’s ability to copy-paste corporate content from their OneDrive to a non-managed/consumer app.
Configure Conditional Access
Azure AD Premium, part of Enterprise Mobility + Security (EMS) suite, provides Risk-based conditional access through an intelligent assessment of granting or blocking access to OneDrive. For e.g. access to OneDrive can be blocked is the user is using non-managed device.
Additional Administrative settings for the sync client
A variety of OneDrive and OneDrive for Business settings can be centrally administered through group policy. The group policy objects are available as part of the OneDrive Deployment Package.
The following User Configuration group policies are available:
• Coauthoring and in-app sharing for Office files
• Configure OneDrive.exe to receive updates after consumer production
• Prevent users from changing the location of their OneDrive folder
• Prevent users from configuring personal OneDrive accounts
• Set the default location for the OneDrive folder
• Users can choose how to handle Office files in conflict
The following Computer Configuration group policies are available:
• Prevent users from using the remote file fetch feature to access files on the computer
• Set the maximum percentage of upload bandwidth that OneDrive.exe uses
- Office 365: Everything You Wanted to Know - Jan 2017 - Microsoft