Disabling OneDrive for Office365

Recently I had a requirement to remove access to OneDrive for users that had Office365, unfortunately after a bit of research the communities stance was that basically this was not possible without impacting Office activation.

We spent a substantial amount of time testing multiple ways to achieve this and ultimately landed on the below options. Depending on your configuration you should ultimately be able to remove this access quite easily.

To clarify the functionality we wanted to remove was the OneDrive access within Office apps as per below:


Stop OneDrive from being created

  1. Navigate to SharePoint admin Center and open User profiles
  2. Under People, click Manage Users Permissions
  3. Under everyone except external users untick – Create Personal site.


This option is quick and easy if you haven’t migrated anyone yet and you want to blanket stop users from accessing the OneDrive feature.

Revoke Permission to the users OneDrive

  1. Navigate to SharePoint admin Center and open User profiles
  2. Under People, click Manage User Profiles
  3. Search for the user account you want to remove access for
  4. Click on the user name and, from the drop-down menu, choose Manage site collection owners
  5. Remove their account

This is great if you want to only remove access for specific users on a by request basis but not ideal for bulk removal. This can also apply even after the OneDrive has been created so it can be combined with the first option above.

Tenant Level Permissions (Microsoft need to do this)

Microsoft can at the tenant level apply configuration which allows you to remove access completely to OneDrive via URL, Office apps and sync where SharePoint license is removed from the plan.

To do this all you need to do is raise a premier support ticket with your default site collection URL – https://domain.sharepoint.com. This was ideal for us as it allowed us to programmatically remove it for all users and reintroduce access as we introduce OneDrive to the business.

Once applied the plan needs to be modified, you can automate this via PowerShell scripts so it can be managed by AD groups – Office 365: Assign licenses based on groups using PowerShell

Block Sign-in to Online Content (MSI Office only)

Where you have used the MSI version of Office (not click-to-run) you can disable access to online content by modifying a registry key on the client.


Name: SignInOptions
Value: 4



Obviously the version  …\Office\16.0\Common can be changed to the specific version of office being used.



SCCM Collection: Dynamically Identifying Users that have had their mailbox migrated to O365

One of the challenges I’ve recently had is identifying users that have had their mailbox migrated to Office365. This becomes quite a task if like me you’re using InTune integrated with SCCM but need separate mail profiles for mobile users. Now this isn’t an issue if you’re happy to manually maintain an AD group which can then be referenced by SCCM, however I want this to dynamically be updated and not rely on Humans.

John Bailey, has written an excellent article on some key AD attributes which can be used to identify whether the mailbox is on-prem or in O365. For my environment I can simply extend my Active Directory User Discovery to include the attribute ‘msExchRecipientDisplayType’ and then use a WQL query to identify the users that have been migrated.

Common values:


Object Type


User Mailbox


Linked Mailbox


Shared Mailbox


Dynamic Distribution Group


Remote Mailbox (O365)

The query for where the mailbox has been migrated to Office365:

SMS_R_User.msExchRecipientTypeDetails = 2147483648