SharePoint & OneDrive · OneDrive Management

OneDrive Sync Policy Administration

Responsibility profile, not a standalone Microsoft role. Sync policies are configured with Group Policy or Intune by administrators who hold the required device-management permissions.

Scope: Device-level sync client configuration

Permissions

  • Sync policies - Configure via Group Policy or Intune
  • File exclusions - Block specific file types from sync
  • Bandwidth throttling - Set upload/download limits
  • Files On-Demand - Enable/disable on managed devices
  • Known Folder Move - Configure automatic folder backup
  • Tenant restrictions - Limit sync to approved organizations

Common use cases

  • Enterprise sync client deployment
  • Restricting sync to managed devices
  • Bandwidth management for remote workers
  • Data protection via Known Folder Move

Best practices

  • Enable Files On-Demand to save disk space
  • Use Known Folder Move for user data protection
  • Block problematic file types
  • Test policies before broad rollout

Security considerations

  • Sync copies data to local device storage
  • Unmanaged device sync risks data exfiltration
  • Known Folder Move may sync sensitive desktop files
  • Need device management strategy alongside sync policies

Common questions

When should I assign the OneDrive Sync Policy Administration role?

Assign OneDrive Sync Policy Administration when you need to: Enterprise sync client deployment; Restricting sync to managed devices; Bandwidth management for remote workers; and Data protection via Known Folder Move. It is part of SharePoint & OneDrive and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the OneDrive Sync Policy Administration role do?

The OneDrive Sync Policy Administration role grants permissions including: Sync policies - Configure via Group Policy or Intune; File exclusions - Block specific file types from sync; Bandwidth throttling - Set upload/download limits; Files On-Demand - Enable/disable on managed devices; Known Folder Move - Configure automatic folder backup; and Tenant restrictions - Limit sync to approved organizations. See the Permissions section above for the full list.

What are the security risks of the OneDrive Sync Policy Administration role?

Key considerations when assigning OneDrive Sync Policy Administration: Sync copies data to local device storage; Unmanaged device sync risks data exfiltration; Known Folder Move may sync sensitive desktop files; and Need device management strategy alongside sync policies. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →