OneDrive New Feature Allows Default Sync of Personal & Corporate Accounts

Microsoft is rolling out a new OneDrive feature this month that allows users to sync their personal accounts with corporate accounts by default, raising significant security concerns among IT professionals.

The feature, officially titled “Prompt to Add Personal Account to OneDrive Sync,” is designed to streamline file access but may inadvertently create serious data exfiltration risks for organizations.

According to Microsoft’s 365 Roadmap, this update enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their OneDrive files.

If users accept the prompt, their files will begin syncing alongside their work files without requiring additional configuration.

The most concerning aspect for security professionals is that no action is required to enable this behavior it is activated by default. This represents a significant shift in Microsoft’s approach to separating personal and business data on corporate devices.

OneDrive New Feature Allows Default Sync

Security experts warn that this feature could substantially risk the transfer of sensitive corporate data to personal, unmanaged environments.

Users noted that, “If a user clicks ‘Yes’—and if IT hasn’t proactively locked this down, they’re now free to copy files from their business OneDrive into their personal OneDrive account. From there, they can share anything with anyone. There is no logging, no control, and no corporate restrictions.”

Automatic syncing bypasses established security protocols, as it lacks inherent controls, logging mechanisms, and corporate policies that typically govern the synchronization of personal accounts on business devices.

This creates a potential pathway for unintentional and malicious data transfers outside the corporate environment.

IT administrators have two primary options to mitigate this risk:

1. Deploy the DisableNewAccountDetection policy, which suppresses the prompts but allows users to manually configure their personal accounts.
2. Implement the DisablePersonalSync policy, which completely prevents users from syncing their OneDrive files on corporate devices.

Security professionals strongly recommend the latter option. Microsoft MVP Simon Hartmann Eriksen recently advised on LinkedIn: “To all Endpoint Admins – Make sure this policy is enabled: ‘Prevent users from syncing personal OneDrive accounts (User)’”.

Given the ease of potential data exfiltration and compliance risks this feature introduces, IT teams are urged to immediately verify the status of these policies within their organizations and implement appropriate controls based on their security requirements.

As one system administrator commented, “We have had personal accounts turned off since we started using OneDrive many years ago… but the fact that they’re enabling it by default is pretty crappy.”

Another user sarcastically noted, “Hey Microsoft, I’ve heard that what customers really want is to share all their business documents with everybody in their contacts list!”

Organizations should review their OneDrive management practices and update their policies before this feature becomes widely available to ensure their corporate data remains protected.

Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite

The post OneDrive New Feature Allows Default Sync of Personal & Corporate Accounts appeared first on Cyber Security News.