Microsoft will soon introduce a new feature to OneDrive that can impact data and device security for work accounts. The feature is called Prompt to Add Personal Account to OneDrive Sync. When a user logs in to their OneDrive account for work, Microsoft will prompt and encourage the user to also sync their personal OneDrive.
Syncing these two accounts on the same devices could lead to a number of problems and security vulnerabilites:
- Work files could be saved to a personal account and shared outside of your domain
- A compromised personal account could infect data/devices in your work environment
- There is no logging to show what data is saved to the personal accounts, so there would be no audit of data lost/moved/stolen
When Microsoft first announced this feature, the technology industry pointed out the various security flaws with this feature and complained with such vigor that Microsoft delayed the update another month to give security professionals time to put additional protections in place. If ITS manages your Microsoft 365 domain, we have now blocked this setting from prompting your users to add their personal account. This setting is the DisablePersonalSync policy.
If you do not have a managed domain, you will need to notify your staff of this update and encourage them not to sync their data. The rollout date of this feature is now June 2025.
A resource with additional information is linked below: