Microsoft is rolling out a new OneDrive feature that synchronizes data from personal accounts with business accounts. The feature, officially called “Prompt to Add Personal Account to OneDrive Sync,” allows bypassing security policies. This could result in business data ending up in the wrong hands.
Microsoft will enable the feature in June. It detects personal accounts on business devices. Users will then receive a notification to synchronize their OneDrive files. When users accept the notification, their files will automatically start synchronizing to their business OneDrive environment without additional configuration.
So if a user logs in with a private Microsoft account on a business device, they will receive a notification to link the account by default. They are responsible for giving permission. However, accepting the notification may seem convenient or easy if you are unaware of the risks.
Security risks with automatic synchronization
Security experts warn that this feature poses a significant risk to the transfer of sensitive business data to personal, unmanaged environments. Once approved, users can copy files from their business OneDrive to their personal OneDrive account if their IT department has not actively blocked this.
“Of course, this default setting bypasses established security protocols, as it lacks inherent controls, logging mechanisms, and corporate policies governing synchronizing personal accounts on business devices,” writes Senior Cybersecurity Strategic Advisor Paolo C of BARE Cybersecurity. “Consequently, this creates a substantial risk of sensitive corporate data being unintentionally or maliciously transferred to personal, unmanaged environments.”
This creates a potential route for accidental and malicious data transfer outside the corporate environment.
Limit the risk
IT administrators have two options to mitigate this risk. They can implement the DisableNewAccountDetection policy, which suppresses the notifications but allows users to manually configure their personal accounts. They can also implement the DisablePersonalSync policy, which completely prevents users from synchronizing their OneDrive files on company devices.