Microsoft is introducing a new feature in OneDrive for business users: the “Prompt to Add Personal Account to OneDrive Sync.” This feature automatically detects personal Microsoft accounts on business devices and asks users if they want to sync their personal OneDrive files. Although intended to increase ease of use, this feature has raised concerns within the IT and security community.
What does the new position entail?
The OneDrive Sync client on Windows searches business devices and detects personal Microsoft accounts associated with them. Users are then given an explicit prompt to sync their personal OneDrive files alongside their business files. If a user accepts this prompt, personal files are synced along with business files. This feature is enabled by default unless administrators actively configure specific policies to prevent it.
More information about this change can be found in the Microsoft 365 Roadmap.
Security implications
The new functionality within OneDrive, which actively asks users to add a personal Microsoft account on business devices, raises questions about corporate data security.
When a user consents to this prompt, the ability to easily move files from a business to a personal OneDrive folder is created. Because personal storage is outside the management of the organization, sensitive or confidential information can evade monitoring and control.
An additional risk is that when an employee leaves, files in the personal account remain accessible, increasing the likelihood of unauthorized access or data leakage. In addition, personal files being synced can also provide an entry point for malware, phishing or other cyber threats, unknowingly exposing business devices to outside risks.
Context and perspective
Although this functionality has now been made more prominent through a system notification, the ability to add personal accounts to corporate devices had been around for some time. Organizations that have strict endpoint and cloud policies in place have typically already taken steps to limit or completely block unwanted links and data traffic.
In particular, the recent change makes this option more explicit to end users and underscores the importance for IT administrators to reevaluate their existing policies and technical limitations. This emphasizes the need for proactive configuration through group policy settings and user awareness as a fundamental layer of defense.
Therefore, the advice is NOT to allow personal accounts on corporate devices and only accept the tenant of one’s own organization. This prevents external or private data from invading corporate systems and helps maintain full control over corporate data.
What can IT administrators do?
There are several important group policy settings that administrators can implement to mitigate this risk:
- DisablePersonalSync: Prevents users from linking personal Microsoft accounts to OneDrive on corporate devices.
- DisableNewAccountDetection: Suppresses the prompt that encourages users to synchronize their personal OneDrive accounts.
- AllowTenantList: This policy allows administrators to define a list of allowed tenants, allowing only OneDrive accounts within the specified organization(s) to be synced. This prevents employees from linking remote or personal Microsoft accounts to corporate devices and protects against unwanted data movement.
By setting AllowTenantList correctly, organizations can ensure that only accounts within their own tenant can access OneDrive sync. This is a crucial measure to prevent data loss and uncontrolled synchronization of business files to private repositories.
Conclusion
While the new OneDrive feature is intended to improve ease of use, it highlights the urgency for organizations to regularly review and update their security policies and settings. A proactive approach is necessary: IT administrators must ensure that data transfers remain within organizational frameworks and that the integrity of corporate data is maintained at all times.