βοΈπͺπ§βπΌCP - OneDrive - Block other tenant signin
What this policy is about πβ
You know the drill by now. We donβt like chaos.
We donβt like data all over the place.
And we really donβt like users signing into OneDrive with accounts from some other tenant they found behind the couch.
This policy says:
βYou're either with us, or you're not syncing anything.β
No more mystery accounts. No more βI just needed to grab something real quick.β
Only sign in with your organization's account. Period.
Why? π€¨β
Because you donβt know:
- Where that other tenant is managed
- If it even is managed
- Or if Bob from Accounting is syncing your quarterly reports to his old startup's OneDrive
Add a few mergers and acquisitions into the mix β and suddenly you've got data going in ten directions with zero accountability.
Letβs not.
π οΈ Configurationβ
| Setting | Value |
|---|---|
| Allow syncing OneDrive accounts for only specific organizations | Enabled |
| Tenant ID | ${SUPERVISION_TENANTID} |
π‘ SuperVision Tipβ
This policy requires a Tenant ID to work.
And while you're technically allowed to paste in your own... don't.
Instead, use the dynamic tag ${SUPERVISION_TENANTID} β SuperVision will automatically inject the correct value per environment.
Why this matters:
- Prevents config mistakes during rollout
- Avoids syncing devices to the wrong tenant (been there π )
- Makes your blueprint multi-tenant ready out of the box
π₯ Group Assignmentsβ
β Included:β
All Users
β Excluded:β
This group is reserved for users who are explicitly allowed to sync to another tenant β see Allow Policy
π Relatedβ
If someone really needs to sign into another tenant:
Send them to the βοΈπͺπ§βπΌπCP - OneDrive - Allow other tenant signin
.
With written approval. And a raised eyebrow.