Setting Site-to-Zone policy will remove SharePoint Online Trusted sites additions by default

[Borgquite]

We experienced a number of issues with SharePoint Online / OneDrive integration after making these changes. It turns out that the OneDrive client adds the following sites to the 'Trusted' security zone in Internet Explorer on a computer by default, but these default entries are 'overridden' when setting Site to Zone via Group Policy:
https://[tenantname]-files.sharepoint.com -> 2 (Trusted Sites)
https://[tenantname]-myfiles.sharepoint.com -> 2 (Trusted Sites)
Without those settings we experienced various hangs in OneDrive and issues with the new Office file collaboration settings with OneDrive Sync.

According to these pages, it is best practice to have these entries added. Therefore if you are recommending users to configure the Site to Zone policy when using Office 365, you should advise them to add these entries as well

https://support.office.com/en-US/client/results?Shownav=true&lcid=1033&version=15&omkt=en-US&ver=15&HelpID=O365E_AppLTrustedSites
https://techcommunity.microsoft.com/t5/sharepoint/adding-the-sharepoint-online-url-to-the-trusted-site-zones-in-ie/m-p/140590/highlight/true#M12753

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 5d53fedc-b37d-9c37-fd71-32088e1e88d3
• Version Independent ID: 1d67c426-39ff-8646-139d-51cd5e9fe44e
• Content: Azure AD Connect: Seamless Single Sign-On - quickstart
• Content Source: articles/active-directory/hybrid/how-to-connect-sso-quick-start.md
• Service: active-directory
• Sub-service: hybrid
• GitHub Login: @billmath
• Microsoft Alias: billmath

[JamesTran-MSFT]

@ChrisAtMAF
This looks like a duplicate issue with #63538.

I'll be closing this one since it looks like the article linked to the other question is more relevant to what you're asking.

[Borgquite]

Hey @JamesTran-MSFT - both articles reference setting the 'Site-to-Zone' setting via Group Policy (to different ends) so they probably both need updating since it will be a side-effect of either process. But can discuss in the other article first if you like.

[JamesTran-MSFT]

@ChrisAtMAF
Thanks for the clarification! I'll look into this and update you as soon as possible.

[JamesTran-MSFT]

@ChrisAtMAF
I have assigned this issue to the author who will investigate and update as appropriate.

[Borgquite]

Thanks. You can see that the OneDrive client attempts to add these files automatically on client computers by checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sharepoint.com[tenantname]-files and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sharepoint.com[tenantname]-myfiles on any device. The main experience that I remember seeing is if you try to open a OneDrive file on your desktop from the OneDrive file, the computer pops up a security warning without these keys set. I also believe we saw some hangs and slowdowns as a result, Here's another page that indicates some of these entries require putting in for smooth running: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/troubleshoot-issues-using-open-with-explorer

Hope we can get this sorted!

[billmath]

This github issue needs to be re-opened with SharePoint. The issue doesn't appear to be with single sign-on.

#please-close