In May 2025, Microsoft introduced a new feature in OneDrive titled Prompt to Add Personal Account to OneDrive Sync. This update allows users to synchronize their personal OneDrive accounts with corporate accounts by default, aiming to streamline file access across devices. However, this change has sparked significant security concerns among IT professionals.
Understanding the New OneDrive Sync Feature
The Prompt to Add Personal Account to OneDrive Sync feature enables the OneDrive Sync client on Windows to detect personal Microsoft accounts associated with business devices. Upon detection, users receive a prompt to sync their personal OneDrive files alongside their work files without additional configuration. This default activation marks a departure from Microsoft’s previous approach of maintaining a clear separation between personal and business data on corporate devices.
Security Implications and Risks
The automatic synchronization of personal and corporate accounts introduces several security risks:
1. Data Exfiltration: Users can inadvertently or intentionally transfer sensitive corporate data to personal, unmanaged environments. Once in personal accounts, data can be shared without corporate oversight, leading to potential data breaches.
2. Lack of Monitoring: The default sync lacks inherent controls and logging mechanisms, making it challenging for IT departments to monitor data transfers between corporate and personal accounts.
3. Compliance Violations: Organizations subject to regulatory requirements may face compliance issues due to unauthorized data transfers facilitated by this feature.
Mitigation Strategies for IT Administrators
To address these concerns, IT administrators can implement the following policies:
1. DisableNewAccountDetection Policy: This policy suppresses the prompt to add personal accounts, allowing users to manually configure their personal accounts if necessary.
2. DisablePersonalSync Policy: This policy completely prevents users from syncing their personal OneDrive accounts on corporate devices, effectively mitigating the risk of unauthorized data transfers.
Security experts strongly recommend implementing the DisablePersonalSync policy to maintain strict control over corporate data. Microsoft MVP Simon Hartmann Eriksen advised on LinkedIn: To all Endpoint Admins – Make sure this policy is enabled: ‘Prevent users from syncing personal OneDrive accounts (User).’
Community Feedback and Concerns
The introduction of this feature has elicited reactions from the IT community. One system administrator commented, We have had personal accounts turned off since we started using OneDrive many years ago… but the fact that they’re enabling it by default is pretty crappy. Another user noted, Hey Microsoft, I’ve heard that what customers really want is to share all their business documents with everybody in their contacts list!
Recommendations for Organizations
Organizations should take the following steps to safeguard their data:
1. Review OneDrive Management Practices: Assess current OneDrive configurations and identify potential vulnerabilities introduced by the new feature.
2. Update Policies and Implement Controls: Apply the DisablePersonalSync policy to prevent personal account synchronization on corporate devices.
3. Educate Employees: Inform staff about the security risks associated with syncing personal and corporate accounts and provide guidelines on maintaining data integrity.
4. Monitor for Unauthorized Syncing: Regularly audit OneDrive usage to detect any unauthorized synchronization of personal accounts.
Conclusion
While Microsoft’s new OneDrive feature aims to enhance user convenience, it inadvertently introduces significant security risks. By proactively implementing the recommended policies and educating employees, organizations can mitigate these risks and ensure the protection of their corporate data.
