Mecken Swyter

On-premises environments that have been utilizing Folder Redirection with Group Policy Objects (GPOs) and now shifting to a cloud-native approach, will need to ditch redirecting user's files and folders to a network share and start using a more modern approach such as OneDrive Known Folder Move (KFM).

Overview​

This article will guide you through the process of migrating from Folder Redirection to OneDrive KFM using Microsoft Intune. Along the way, we'll cover topics such as checking for folder path errors with PowerShell, using the Microsoft Graph API to get OneDrive URLs for users, and utilizing the free Microsoft SharePoint Migration Manager to migrate files from the network share to a user's OneDrive.

Prerequisites​

• Microsoft Intune subscription
• An on-premises account with NFTS permissions to the root network share used for Folder Redirection

Verify Folder Redirection GPO settings​

Before we start the migration process, we need to confirm the current Folder Redirection GPO settings. This way, we know what the expected behavior should be once the policy is disabled for a specific user. We don't want any surprises - especially when it comes to a user's files. 😅 Navigate to the Group Policy Management Console to review this information.

The Policy Removal setting is set to Leave the folder in the new location when policy is removed. This means that when the GPO is disabled, the user's files will remain in the redirected location such as the network share.

So an Administrator can still have access to user created files and folders, it is recommended to configure the Folder Redirection GPO to Not Grant user exclusive rights to folder. However, without configuring proper NTFS permissions on the root folder of the network share configured for Folder Redirection, this can pose a security risk and allow a user to access another user's files.

In conjunction with the Grant user exclusive rights to folder setting unselected, Microsoft recommends that the following NTFS permissions and share permissions be set on the root folder of the network share to prevent users from accessing each other's files:

The KB article recommending these settings can be found here.

This would allow for a domain user in the Domain Admins group to have access to the user folders created by the Folder Redirection GPO and all the child files and folders created by the user. However, if this is not the case, the NTFS permissions may need to be adjusted accordingly. In most cases, a Domain Admin will have to take ownership of the folder to grant themselves the appropriate NTFS permissions.

Utilize the free Microsoft SharePoint Migration Manager to migrate user files to OneDrive​

The SharePoint Migration Manager is a free tool provided by Microsoft that allows you to migrate files from a network share to a user's OneDrive. This tool is designed to work with both SharePoint and OneDrive, making it a versatile option for file migration.

1. Navigate to the Microsoft 365 admin center and click ... Show all > SharePoint.
2. In the left navigation pane, click Migration.

When deploying applications using Microsoft Intune, installing applications using the line-of-business (LOB) deployment method can make the process of deploying applications easier. However, once installations being deployed using LOB start failing, very little logging information is available to troubleshoot the issue. This is where Win32 app deployment shines 🤩

One of the first things organizations do once they upgrade to a M365 license type that includes Microsoft Entra ID P1 is to start rolling out Conditional Access Polices to incorporate fine-grained security polices. However, after that, an attractive feature, especially for organizations with a hybrid environment, is the Self-Service Password Reset (SSPR) feature.

If an on-premises web application does not support modern authentication, using Microsoft Entra application proxy can be a great way to add strong authentication (MFA) to the web app. This can provide multiple benefits: Firstly, when creating an Entra application proxy app, it is assigned a service principle in the Entra tenant and can therefore be targeted by conditional access polices to enforce strong authentication before access is granted. Secondly, Microsoft Entra application proxy allows access to internal web applications without the need for an VPN or opening up any ports on the firewall.