Table of contents
- Disable OneDrive...
- Enable OneDrive only for a group of users
- Step 1: Create a new AAD Security Group
- Step 2: Enable Personal Sites for members of the AAD Security Group
- Step 3: If you now scroll down, you can configure the permissions for the added group. In our case, we want that Users which are in the group “OneDrive qualified users” have OneDrive enabled. Therefore we select the corresponding box (as shown in the right side of the picture) and confirm with OK.
- Conclusion
Microsoft OneDrive is a service included in most Microsoft 365 subscriptions. It’s the foundation for many collaboration services. For example; when you’re in an MS-Teams chat (not a channel) sharing a file with other participants, then MS-Teams will automatically upload your file to your OneDrive storage and share the file with the other participants (see picture below for an example). While some organizations block an unwanted usage of OneDrive by signed agreement with employees… other organizations prefer to block the service technically. This is actually possible. In order to do that, you’ll have to change settings in SharePoint Online Admin Center (Info: OneDrive is basically a personal site based on SharePoint. Therefore, there is no OneDrive Service as such. It’s all about SharePoint.).
Disable OneDrive...
In a normal case you would think about how to deal with the OneDrive Service before implementing Microsoft 365. This would exclude any possibility for the user to use OneDrive with his/her company account. But unfortunately I also encounter organizations, which already implemented Microsoft 365 (mostly driven by the pandemic and the urge to implement Microsoft Teams quickly) and just months after that realized, their users where using their OneDrive storage for any kind of data (confidential and non-confidential). In other cases there are some legitimated users which should be able to use OneDrive with their company accounts. But that’s the easier part ;-). Summarized: If I want to disable OneDrive for Business for my organization, I may encounter the following scenarios:
- Disable OneDrive for all users, Microsoft 365 not deployed yet
- Disable OneDrive for all users, Microsoft 365 already deployed
- Disable/enable OneDrive only for specific users
Since OneDrive is fully based on SharePoint, (yes, in the on-Prem version of SharePoint, OneDrive is part of the MySite functionality. It’s pretty comparable in my opinion… but the news feed and user-information in Microsoft 365 are in Delve, which is also pretty neat. You will be able to follow this instruction even without understanding this, but if you’re curious, just click here.) there is no such a thing like a OneDrive Admin Center. Therefore, the configuration required to disable OneDrive in your Tenant is through the SharePoint Admin Center.
... for all users (M365 not deployed yet)
Step 1: Prevent the creation of "Personal Sites"
You need to prevent the creation of so called “Personal Sites” (which is basically the end-users OneDrive). To do this, click on “More features” in SharePoint Admin Center and select “User Profiles”.
Step 2: Go to "Manage User Permissions"
Since we want to set the permission to all accounts that will be created in the future, we need to “Manage User Permissions”.
Step 3: Disable creation of "Personal Sites"
Here we can configure what users should get when a new User Profile gets created. Per default, the configuration is set for “Everyone except external users”. Do disable OneDrive for all new created users, ensure that the box next to “Create Personal Site (required for personal storage, newsfeed and followed content)” is unticked. To save this setting, confirm with OK.
After having updated the setting, every new created user will have the OneDrive service disabled. In case someone would try to send a File in an MS-Teams Chat (not channel), he/she would get the notification as shown in the following picture;
Keep in mind: The example shown in the Picture shows a Chat between “Mirco” (user with enabled OneDrive) and “Curt” (user with disabled OneDrive). Curt can still receive Files sent from Mirco since the files in that case are shared with Mirco’s OneDrive).*
... For all users (M365 already deployed)
If you already deployed Microsoft 365 without disabling OneDrive for your users, then you may have to spend some more time thinking before deactivating it ;-).
You will have a certain amount of users which already started using OneDrive. This would mean, you’ll have to consider that people are already storing files in the Microsoft 365 cloud and are collaborating with other people (eventually even people outside your organisation).
Since the users which are using OneDrive are doing this without any official approval, I would recommend you to delete all the existing OneDrive sites until you activate it officially with the respective Adoption and Change Management measures.
<Important In order for your IT-Department to provide a controlled deactivation of OneDrive (and without end-users experiencing any data-loss) inform your users enough in advance and provide them instructions about how they can move the data they already stored to an appropriate storage location.
You might encounter one of the following situations:
- Situation 1: End-user will move the data they had so far on OneDrive to an appropiate location and their OneDrive Site can be deleted.
- Situation 2: End-user legitimate, they need OneDrive because they’re collaborating with other people on documents and there is no compareable tool in the company to collaborate in that way.
For situation 2, I strongly recommend to provide the possibility to use OneDrive within your company. I would just restrict it to a circle of qualified users. If a end-user wants to qualify for having OneDrive activated on his/her company account, he/she has, for example, to complete an internal training. Qualified users will then be added to the group shown in the next chapter Enable OneDrive only for a group of users.
The handling of situation 1 is pretty straight forward. Once you have the confirmation that all end-users have moved their Data away from OneDrive, then you can use the following PowerShell script to delete all OneDrive site-collections:
#!! WARNING !!
#This script deletes all OneDrive site-collections in your Microsoft Tenant!
$AdminSiteURL="https://enito365-admin.sharepoint.com"
#Get Credentials to connect to SharePoint Admin Center
$Cred = Get-Credential
#Connect to SharePoint Online Admin Center with privileged account
Connect-SPOService -Url $AdminSiteURL -Credential $Cred
#Get all Personal Site collections
$OneDriveSites = Get-SPOSite -Template "SPSPERS" -Limit ALL -IncludePersonalSite $True
Foreach($Site in $OneDriveSites)
{
#Remove OneDrive Site Collection
Remove-SPOSite -identity $Site.URL -Confirm:$false
Write-Host "OneDrive site collection deleted successfully "$Site.URL
}
Delete a specific OneDrive Site-Collection
In case you simply need to delete the OneDrive site collection of a specific user, you can use the following PowerShell script:
#Delete a specific OneDrive site collection
$AdminSiteURL="https://enito365-admin.sharepoint.com"
$OneDriveSiteUrl="https://enito365-my.sharepoint.com/personal/adeleV_enito365_onmicrosoft_com"
#Get Credentials to connect to SharePoint Admin Center
$Cred = Get-Credential
#Connect to SharePoint Online Admin Center
Connect-SPOService -Url $AdminSiteURL -credential $Cred
#Remove OneDrive Site Collection
Remove-SPOSite -identity $OneDriveSiteUrl
Write-Host "OneDrive site collection deleted successfully"
Enable OneDrive only for a group of users
Step 1: Create a new AAD Security Group
To identify end-users, which are qualified to use OneDrive with their company account, we create a new Group in the Microsoft 365 Admin Center. I personally suggest to create a Security Group (in my example, I use a Security Group called “OneDrive qualified users”). Once you have created this group, you can navigate to the SharePoint Admin Center and open the Configuration Panel for the User Profiles (as described in a previous chapter).
Step 2: Enable Personal Sites for members of the AAD Security Group
Once you’re in the Configuration Panel for the User Profiles, you can click on “Manage User Permissions” and add the newly created group.
Step 3: If you now scroll down, you can configure the permissions for the added group. In our case, we want that Users which are in the group “OneDrive qualified users” have OneDrive enabled. Therefore we select the corresponding box (as shown in the right side of the picture) and confirm with OK.
Conclusion
If you came across this article, you certainly wanted to gain more control over the data which is stored in the Microsoft 365 cloud by your end-users. However, disabling OneDrive within your organisation is in my opinion not a long-term solution. Collaboration and sharing are the laws of modern days productivity and OneDrive is an essential gear in the Microsoft 365 ecosystem. By disabling OneDrive in your organisation, you may encourage people to use alternative such as GoogleDrive or Dropbox. And that’s not your goal. So at this point I strongly recommend you to plan to control your data in the cloud and allowing your end-users to use services like OneDrive by planning and implementing a secure collaboration governance and sensitivity labels.