What Happened?
Microsoft is rolling out a new feature in June 2025 that encourages enterprise users signed into their corporate OneDrive on Windows devices to also sign into their personal OneDrive accounts. While this feature provides convenient access to both corporate and personal accounts on a single device, it raises significant security concerns regarding potential inadvertent exposure of sensitive corporate data.
‍
‍
Security Risk
- The feature could inadvertently encourage users to move or copy sensitive corporate documents into their personal OneDrive accounts.
- Once corporate files are saved in a personal account, these documents become accessible from personal devices, creating a pathway for sensitive data leakage outside the organization's secure infrastructure.
‍
Important Considerations
- Microsoft’s prompt to add personal accounts does not merge or automatically sync content between corporate and personal accounts.
- Users must deliberately move or save files between accounts, but the ease of accessing both simultaneously increases the risk of accidental data transfers.
- Microsoft continues to block the transfer of certain known sensitive folders from corporate devices by default.
‍
Recommended Actions
- Policy Enforcement: Organizations should proactively employ policies such as
DisablePersonalSync or the new DisableNewAccountDetection to prevent users from adding personal accounts to corporate devices.
- User Awareness Training: Reinforce training about risks associated with storing or transferring sensitive corporate data to personal accounts.
- Monitoring and Auditing: Increase monitoring for unusual data movement between corporate and personal OneDrive accounts, and conduct regular audits.
‍
While Microsoft’s intent is to simplify account management, the potential for inadvertent sensitive data exposure necessitates careful evaluation, user education, and the implementation of strict policy controls to safeguard corporate information effectively.
‍
