Today I experienced an interesting issue, for which I thought it was interesting sharing how I figured out what was going on.
The issue/challenge
The issue I encountered was related to the fact that I couldn’t sign-in into the OneDrive client anymore. When you are not able to sign-in, you cannot open documents which are cloud hosted for example, and of course changes in files are not synchronized.
So in order to troubleshoot the issue, I started digging into the Azure AD sign-in logs, where I found the following interesting entry.
The first thing I noticed is that the User Type property was set to Guest, while normally it states “Member”. It kept me wondering why my account was a Guest user and then it all became clear.
For a project which I was working on at another customer, the customer asked me for my IP address so that they could allow that IP address to access the Teams environment being created. I have setup a sync of one of the SharePoint folder within my OneDrive client. Everything was working fine until I went to the office and got another IP address which broke the ability of the OneDrive client to sign in.
So, what was going on?
The client defined a Conditional Access policy, which either requires a compliant device or a trusted location before access to SharePoint Online is granted. This caused my own OneDrive syn client to not be able to login and therefore was not usable until my customer changed something in their Conditional Access policy, or until I remove the sync the the SharePoint Online library hosted in the tenant of my customer, but I can only do that when I’m back in the home office where my IP is whitelisted.
Lessons learned
When creating a Conditional Access policy, this can have an unexpected impact even on Guest users. And in my opinion using IP addresses to exclude in a Conditional Access policy is asking for issues sooner or later. Go for Zero trust always.