Microsoft will soon roll out a new OneDrive feature that allows users to sync both personal and corporate Microsoft accounts on the same Windows device. While the feature is meant to improve file access, it has triggered security concerns among IT professionals.
The update, called “Prompt to Add Personal Account to OneDrive Sync”, is linked to Microsoft 365 Roadmap ID 490064. It is expected to begin rolling out in mid-June 2025 and finish by early July 2025.
How the Feature Works
The system will detect when a user is signed into a personal Microsoft account on a device that also uses a corporate OneDrive. It will then prompt the user to connect their personal OneDrive as well.
If the user agrees, both OneDrive accounts will sync on the same machine. The accounts remain separate, and no content is automatically merged.
Security Concerns
Security experts are warning that the new feature could open doors to data leaks. Because syncing is enabled by default, users may move sensitive files from corporate OneDrive to personal accounts with no logging or restrictions.
“If a user clicks ‘Yes’—and IT hasn’t proactively locked this down—they’re free to copy files from business OneDrive into personal OneDrive,” one cybersecurity professional explained. “From there, they can share anything with anyone. There is no logging, no control, and no corporate restrictions.”
Bypassing Security Protocols
Critics argue this change undermines Microsoft’s previous approach of separating personal and business data. Without proper safeguards, the prompt may lead to accidental or intentional data transfers outside the organization.
Cybersecurity experts at Cybersecurity News noted that this kind of syncing often skips traditional security controls and monitoring policies, making it harder for organizations to track or prevent data exfiltration.
How IT Admins Can Respond
Organizations have a few ways to block or control the new feature:
DisableNewAccountDetection: Hides the prompt but allows users to manually add personal accounts.
DisablePersonalSync: Prevents personal OneDrive syncing entirely and stops the prompt from appearing.
Intune Setting: Use “Prevent users from syncing personal OneDrive accounts (user)” for added control.
Registry Changes: Some IT experts recommend combining Intune settings with registry tweaks for full protection.
Security expert Steven Lim has developed a Microsoft Defender XDR detection query using KQL to help organizations identify when a personal OneDrive is added to a corporate endpoint.
Recommendations Before Rollout
Many IT professionals advise taking preventive action before the mid-June launch. “Personal data doesn’t belong on company devices,” one expert said. “Disable the prompt now to avoid a corporate data nightmare.”
Microsoft has encouraged organizations to update internal support documents and consider policy changes in advance of the rollout.
