Microsoft OneDrive update raises security concerns for business data

Microsoft is introducing a new OneDrive feature that synchronizes data between personal and business accounts, raising significant security concerns. The feature, officially named "Prompt to Add Personal Account to OneDrive Sync," could allow users to bypass corporate security policies, potentially exposing sensitive business data.

How the Feature Works

The feature, set to roll out in June, detects personal accounts on business devices and prompts users to synchronize their files. Once accepted, files automatically sync to the business OneDrive environment without additional configuration. This means if a user logs into a personal Microsoft account on a work device, they’ll receive a notification to link the account by default.

"This default setting bypasses established security protocols, as it lacks inherent controls, logging mechanisms, and corporate policies governing synchronizing personal accounts on business devices," warns Paolo C, Senior Cybersecurity Strategic Advisor at BARE Cybersecurity.

Security Risks

• Unintentional Data Transfer: Users could accidentally sync business files to personal, unmanaged accounts.
• Malicious Activity: The feature could be exploited to exfiltrate sensitive corporate data.
• Lack of Controls: No built-in logging or policy enforcement to prevent misuse.

Mitigation Options for IT Admins

1. DisableNewAccountDetection Policy: Suppresses notifications but allows manual account configuration.
2. DisablePersonalSync Policy: Blocks all personal account syncing on company devices.

Related: Opening and saving files in OneDrive freezes macOS

This update highlights the ongoing tension between user convenience and corporate security, urging businesses to proactively address potential vulnerabilities.