How to Block Personal OneDrive Accounts on Company Devices with Intune

How to Block Personal OneDrive on Company Devices with Intune

When your team needs to keep work data separate from personal files, preventing personal OneDrive logins on company-owned devices is key. Disabling sync alone isn’t enough—you need to stop users from adding personal accounts in the first place. Here’s a straightforward, step-by-step guide for doing this in Microsoft Intune.

1. Block Personal OneDrive in a Device Configuration Profile

First, create a configuration profile that stops users from signing into personal OneDrive accounts.

1. In the Intune admin center, go to Devices > Configuration profiles.
2. Click Create profile, choose Windows 10 and later, and pick Administrative Templates.
3. Under Computer Configuration > Policies > Administrative Templates > OneDrive, enable these settings:
   • Prevent users from adding personal OneDrive accounts
   • Block syncing OneDrive accounts
4. Assign the profile to your groups of company-owned devices (desktops, laptops, tablets).

These settings ensure OneDrive for Business still works while personal accounts are completely blocked.

2. Extend to Mobile with App Configuration Policies

If your staff uses OneDrive mobile, add a Mobile Application Management (MAM) policy:

1. Go to Apps > App configuration policies in Intune.
2. Create a policy for the OneDrive mobile app.
3. Disable account addition or personal sign-in in the app settings.
4. Target it to your mobile device groups.

This stops employees from adding personal OneDrive accounts on phones and tablets.

3. Prevent OneDrive Installation (Optional)

For an extra layer, you can block OneDrive installation entirely on company PCs:

1. In Devices > Configuration profiles, create a new profile for Windows 10 and later using Device restrictions.
2. Under Applications, set OneDrive to Not allowed.
3. Assign it to your device groups.

Use this only if you don’t need OneDrive at all on those machines.

4. (Hybrid AD) Use Group Policy via Intune

If your devices are hybrid Azure AD joined, enforce the classic Group Policy:

1. Open Computer Configuration > Administrative Templates > OneDrive in the Group Policy Editor.
2. Enable Prevent the usage of OneDrive for file storage.
3. Deploy this policy through Intune to your hybrid-joined devices.

5. Monitor and Enforce Compliance

After you apply these policies:

• Check Intune’s Device compliance reports to see which machines still have personal OneDrive accounts.
• Use Microsoft 365 Compliance Center logs to verify no personal OneDrive sign-ins happen.

Regular monitoring ensures the policies stay in effect and protects your work data.

6. Keep Users Informed

Technical controls work best alongside clear communication. Explain to employees:

• Why personal and corporate accounts must stay separate.
• How to use OneDrive for Business safely.
• What support is available if they run into access issues.

Why This Matters

In regulated industries like healthcare, mixing personal and work files can lead to data leaks and compliance violations. By blocking personal OneDrive at the source, you safeguard patient records and sensitive business documents without disrupting legitimate workflows.

Follow these steps in Intune to enforce enterprise-grade security on all your company-owned devices.