βοΈπͺπ§βπΌπCP - OneDrive - Allow other tenant signin
What this policy is for πͺβ
This is the counter-policy to βοΈπͺπ§βπΌCP - OneDrive - Block other tenant signin.
While that one slams the door shut on signing into OneDrive with external tenant accounts, this one says:
βOkay, but only for a select few β and only if we can explain it.β
Why? Because in real-world scenarios, not everything is black and white:
- You might be merging companies
- You might be sharing workloads between tenants
- Or a user just happens to still be active across both environments
This policy re-enables that specific functionality β but only for those assigned to the
π‘οΈπ§βπΌππGroup - Multi tenant OneDrive Allowed users
π οΈ Configurationβ
| Setting | Value |
|---|---|
| Allow syncing OneDrive accounts for only specific organizations | Disabled |
This effectively unlocks the ability to sign into any tenant from the OneDrive client β for users that receive this policy.
π‘ SuperVision Tipβ
This policy depends entirely on the correct group assignment.
With SuperVision, you can:
- Assign cross-tenant user access cleanly
- Centrally manage memberships
- Use one group name across all environments
(in this case: π‘οΈπ§βπΌππGroup - Multi tenant OneDrive Allowed users)
No device tags or tenant ID logic needed β just IAM done right.
π₯ Group Assignmentsβ
β Included:β
β Excluded:β
- None explicitly.
Everyone else simply doesn't receive this policy β and remains restricted by βοΈπͺπ§βπΌCP - OneDrive - Block other tenant signin
π Governance Checkβ
If you enable this policy without understanding why a user needs it, you're just creating shadow IT with extra steps.
Always combine this with:
- A written approval from the customer
- Internal documentation of purpose
- Regular review of who's in the group
π§ββοΈ Just because you can allow cross-tenant syncing, doesnβt mean you should.
Use this policy with care. It's a scalpel β not a sledgehammer.