Welcome to this week’s episode of Cyber Whack-a-Mole, where we tackle Microsoft OneDrive’s new personal sync prompt before it pops up with a data leak surprise!
Microsoft is rolling out a new OneDrive feature around May 2025 called “Prompt to add a personal account to OneDrive Sync” for business users (Microsoft 365 Roadmap ID 490064). Designed for convenience, it allows users to sync their personal OneDrive accounts alongside work accounts with a single click. Sounds handy, right? But here’s the catch: it’s enabled by default, and without proper controls, it could lead to sensitive corporate data being synced to personal, unmanaged accounts.
Why This Matters
Mixing personal and work data on the same device introduces risks, including:
- Data Leakage – Sensitive corporate files could be unintentionally or maliciously moved to personal OneDrive accounts, which lack organizational oversight.
- Compliance Issues – Industries like healthcare, finance, and legal, bound by regulations such as GDPR, HIPAA, or SOX, face potential compliance violations if data leaves the managed environment.
- Security Gaps – Personal accounts typically lack the same security controls (encryption, DLP policies, or audit logs) as corporate accounts, creating a weak link.
The good news? These risks are manageable with proactive measures. Let’s dive into how to keep your organization secure without breaking a sweat.
How to Fix the Issue: Practical Solutions
Below are three key steps to mitigate the risks posed by this feature, followed by additional options for comprehensive protection.
Disclaimer: Plan and Audit to Avoid Disruptions
How to Protect Your Data 🕵️♂️🔨💾
Before implementing any of these changes, carefully plan and perform an audit to prevent organization-wide disruptions:
- Audit Current State – Use tools like Intune, Group Policy reporting (gpresult), or PowerShell scripts to assess which devices have personal OneDrive accounts synced or OneDrive for Business in use. This helps identify potential impacts of disabling syncing or access.
- Test Changes – Apply policies in a pilot group (a small department) to evaluate effects on workflows, especially for users relying on OneDrive for Business.
- Plan Communication – Coordinate with stakeholders to inform users of changes, particularly if disabling OneDrive access or syncing broadly.
- Backup Critical Data – Ensure no critical business data is stored solely in personal OneDrive accounts before removing access.
- Consult Compliance Teams – For regulated industries, verify that changes align with GDPR, HIPAA, or other requirements.
By planning ahead, you can mitigate risks without disrupting productivity or compliance.
1. Disable the Feature with DisablePersonalSync 🚫
The most effective way to block personal account syncing is to enable the DisablePersonalSync policy via Group Policy or Microsoft Intune. This prevents users from setting up new personal syncs and stops existing ones, displaying a message that syncing has stopped (though synced files remain on the device and must be removed separately).
Group Policy
- Open Group Policy Management Console (gpmc.msc).
- Create or edit a GPO linked to the domain root or an OU containing all users.
- Navigate to User Configuration > Administrative Templates > OneDrive > Prevent users from syncing personal OneDrive accounts and set it to Enabled.
- This sets the registry key: HKCU\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync=dword:00000001.
Intune
- In the Microsoft Intune Admin Center, create a Configuration Profile (Platform: Windows 10/11, Profile Type: Settings Catalog).
- Add the setting: OneDrive > Prevent users from syncing personal OneDrive accounts (User) and set it to Enabled.
- Assign to “All Users” or a group containing all tenant users for tenant-wide enforcement.
Reference: Microsoft Learn – Use Group Policy to control OneDrive sync settings
2. Audit Existing Syncs 📋
Before or after applying the policy, check for devices with active personal OneDrive syncs to close any existing gaps.
- Use device management tools (Intune compliance reports or scripts) to identify personal OneDrive folders (typically under C:\Users\[Username]\OneDrive).
- Remove synced personal files from devices, either manually or via automated scripts, ensuring compliance with your organization’s policies.
- Consider using Microsoft Purview to audit OneDrive access events for signs of personal account activity.
3. Educate Your Team 📢
Communicate the policy change to users to avoid confusion and reinforce data security best practices.
- Send an internal email or post on your company’s communication platform explaining why personal syncing is disabled.
- Highlight the importance of keeping work and personal data separate, especially for compliance-heavy industries.
- Provide a point of contact (such as IT helpdesk) for questions or support.
Additional Options for Enhanced Control
For organizations seeking broader or server-side controls, consider these tenant-level approaches, but note their trade-offs:
Disable Personal Site Creation (SharePoint Admin Center)
- In the SharePoint Admin Center, go to More Features > User Profiles > Manage User Permissions.
- Remove the “Create Personal Site” permission to prevent new OneDrive site creation, effectively blocking syncing for users without existing sites.
Limitation – Doesn’t affect existing OneDrive sites; use PowerShell to lock them if needed.
Reference – Manage user profiles in SharePoint
Restrict OneDrive Access by Security Group (PowerShell)
Use PowerShell to limit OneDrive access to specific security groups:
- Connect-SPOService -Url https://-admin.sharepoint.com Set-SPOTenant -RestrictOneDriveAccessToSecurityGroupOnly $true Set-SPOTenant -OneDriveAccessRestrictedSecurityGroups “GroupID”
- This prevents users outside the specified groups from accessing OneDrive, indirectly blocking personal syncing.
Limitation: Impacts OneDrive for Business broadly, not just personal syncing.
Reference: Microsoft Learn: Configure OneDrive access restrictions
Hide the Sync Button (PowerShell)
- Disable the OneDrive sync button for all users: Connect-SPOService -Url https://-admin.sharepoint.com Set-SPOTenant -HideSyncButtonOnODB $true
Limitation: Only affects the web interface; doesn’t stop syncs via the OneDrive client if DisablePersonalSync isn’t applied.
Reference: Microsoft Learn: Hide the sync button
Stay Ahead, Not Alarmed
This isn’t about panic—it’s about staying one step ahead of potential risks. If you’re an IT admin, take a moment to review your OneDrive policies to ensure your organization is protected. The DisablePersonalSync policy, applied tenant-wide via Intune’s Settings Catalog or Group Policy, is a straightforward way to lock things down. For extra peace of mind, audit existing syncs and explore server-side controls if needed.
You can also find this post on LinkedIn.
#DerettiTalks #Cybersecurity #Microsoft365 #OneDrive #Compliance #DataSecurity #EnterpriseSecurity #CyberWhackAMole #ITSecurity #CloudSecurity #DataProtection #TechNews #InformationSecurity #ITManagement #BusinessTech
#DerettiTalks - Takes on Security, Privacy and Technology 