A commentary on a recent roadmap change – and why admins need to act fast

[Update 05/22/25] There is a follow-up blog post on this topic here, but you should read this article first

Microsoft is rolling out a new OneDrive feature to business users in May 2025 – and if you’re not paying attention, you might be leaving the front door wide open for corporate data to walk right out.

Let’s take it from the top.

On April 25, 2025, this appeared on Microsoft’s roadmap:

OneDrive: Prompt to add a personal account to OneDrive Sync

This feature enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their personal OneDrive files. If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default Admins can suppress or disable it using the DisableNewAccountDetection or Disable PersonalSync policies.

What does that mean in practice?

A user clicks “Yes” – and if IT hasn’t proactively locked this down, they’re now free to copy files from their business OneDrive into their personal OneDrive account. From there, they can share anything with anyone. No logging. No control. No corporate restrictions.

A data exfiltration loophole that’s shockingly easy to exploit.

Just drag and drop from your business folder to your personal folder – and voilà, the file has exited your compliance perimeter. And what happens when you leave the organization?Microsoft has essentially embedded a perfect side channel for unsanctioned data transfers.

So what can IT do?

There are exactly two Group Policies that can help – but only if they’re known and explicitly enforced.

---

DisablePersonalSync – Prevent users from syncing personal OneDrive accounts

This setting prevents users from connecting personal Microsoft accounts to the sync client. Without this policy, users are free to mix personal and business files on the same device.

Important: If the policy is enabled after syncing has already started, the sync is stopped – but any files already on the device remain.

This policy should be mandatory in any professional environment. There is absolutely no legitimate reason to allow personal OneDrive accounts in a business context. The risk is disproportionate.

---

DisableNewAccountDetection – Stops the pop-up, not the problem

This one just hides the prompt. Users who know what they’re doing can still manually add their personal OneDrive account.

Bottom line: This is cosmetic. Don’t rely on it.

---

Conclusion: The default is insecure

Microsoft ships this enabled by default – leaving it up to IT to plug the hole. If you’re caught off guard, tough luck. You should’ve known the Group Policy settings.

Failing to disable this is essentially giving users a sanctioned way to leak data without oversight.

Admins should check immediately whether DisablePersonalSync is enforced. Anything less is dangerously negligent.

[Update 05/22/25] There is a follow-up blog post on this topic here,