Administration, Group Policy, Microsoft, Microsoft365, OneDrive, OneDrive for Business, Organisationen, SharePoint Online, Windows 11, Windows Explorer

OneDrive: Microsoft’s New Rollout May Be a Gift-Wrapped Data Leak


Function rollout opens new security gap?

A commentary on a recent roadmap change – and why admins need to act fast

[Update 05/22/25] There is a follow-up blog post on this topic here, but you should read this article first

Microsoft is rolling out a new OneDrive feature to business users in May 2025 – and if you’re not paying attention, you might be leaving the front door wide open for corporate data to walk right out.

Let’s take it from the top.

On April 25, 2025, this appeared on Microsoft’s roadmap:

Dies ist eine Funktion, die im Mai 2025 aug´fgerufen wird, wenn die IT Abteilung nicht aktiv widersprochen hat

OneDrive: Prompt to add a personal account to OneDrive Sync

This feature enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their personal OneDrive files. If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default Admins can suppress or disable it using the DisableNewAccountDetection or Disable PersonalSync policies.

What does that mean in practice?

A user clicks “Yes” – and if IT hasn’t proactively locked this down, they’re now free to copy files from their business OneDrive into their personal OneDrive account. From there, they can share anything with anyone. No logging. No control. No corporate restrictions.

A data exfiltration loophole that’s shockingly easy to exploit.

Just drag and drop from your business folder to your personal folder – and voilà, the file has exited your compliance perimeter. And what happens when you leave the organization?Microsoft has essentially embedded a perfect side channel for unsanctioned data transfers.

So what can IT do?

There are exactly two Group Policies that can help – but only if they’re known and explicitly enforced.

DisablePersonalSync – Prevent users from syncing personal OneDrive accounts

The figure shows the name of the group policy DisablePersolanSync
The OneDrive group policy DisablePersonalSync, named “Prevent users from synching personal OneDrive accounts.

This setting prevents users from connecting personal Microsoft accounts to the sync client. Without this policy, users are free to mix personal and business files on the same device.

Important: If the policy is enabled after syncing has already started, the sync is stopped – but any files already on the device remain.

This policy should be mandatory in any professional environment. There is absolutely no legitimate reason to allow personal OneDrive accounts in a business context. The risk is disproportionate.

DisableNewAccountDetection – Stops the pop-up, not the problem

The figure shows the group policy DisableNewAccountDetection or with the long name: Disable a toast and activity center message to encourage a user to sign in OneDrive using an existing credential that is made available to Microsoft applications
This group policy “DisableNewAccountDetection” prevents the toast from appearing.

This one just hides the prompt. Users who know what they’re doing can still manually add their personal OneDrive account.

Bottom line: This is cosmetic. Don’t rely on it.

Conclusion: The default is insecure

Microsoft ships this enabled by default – leaving it up to IT to plug the hole. If you’re caught off guard, tough luck. You should’ve known the Group Policy settings.

Failing to disable this is essentially giving users a sanctioned way to leak data without oversight.

Admins should check immediately whether DisablePersonalSync is enforced. Anything less is dangerously negligent.

[Update 05/22/25] There is a follow-up blog post on this topic here,

Entdecke mehr von Hans Brender's Blog

Melde dich für ein Abonnement an, um die neuesten Beiträge per E-Mail zu erhalten.

11 Gedanken zu “OneDrive: Microsoft’s New Rollout May Be a Gift-Wrapped Data Leak

  1. Pingback: OneDrive: A Gift-Wrapped Data Leak? – Part II – Hans Brender's Blog

    1. DisablePersonalSync Enabled is GP for devices. So all Users will not be able to Install a OneDrive Personal on the device. All users, which has OneDrive Personal before, the sync will be disabled, the files are remain on the device

      Like

      Antworten

    1. [HKLM\SOFTWARE\Policies\Microsoft\OneDrive]“DisableNewAccountDetection“=dword:00000001
      [HKCU\SOFTWARE\Policies\Microsoft\OneDrive]“DisablePersonalSync“=dword:00000001
      But Read the article, there are Links insider…going to Microsoft

      Like

      Antworten

  4. What about non-domain joined computers? If OneDrive is open to be installed on them, it will not be possible to stop users doing this.

    Please tell me that I am missing something here.

    Like

    Antworten

  5. I noticed that when you enforce the policy, the personal onedrive remains visible. However, the contents of the folders are empty. Do you have an idea how to make everything invisible?

    Greetings, Frank / Rotterdam

    Like

    Antworten
  6. Pingback: Microsoft Roadmap, messagecenter and blogs updates from 07-05-2025 - KbWorks - SharePoint and Teams Specialist
  7. Pingback: OneDrive: Microsoft’s New Rollout May Be a Gift-Wrapped Data Leak – blog by Hans Brender – 365ForAll

Hinterlasse eine Antwort zu Hans Brender Antwort abbrechen

Diese Seite verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden..