[German]Quick survey for administrators among my blog readers: Is there a problem with OneDrive, and how are you dealing with it? In July 2025, Microsoft began allowing OneDrive Personal users to synchronize OneDrive for Business as well. How are you dealing with this issue, which could pose a security problem?
A reader's comment on the topic
This topic has been on my to-do list for some time. A blog reader contacted me by email in mid-May 2025. In the subject line "OneDrive Business / Personal Sync," he informed me that he had recently become aware of an issue on X that, in his opinion, raises serious concerns.
It concerns the possibility that OneDrive Personal will synchronize data with OneDrive for Business starting in June 2025. The reader noted that this would make it more difficult for companies to separate data and could lead to security (data leaks) and privacy issues.
The reader works as a cloud IT consultant and considers this to be a critical issue. Although it is possible to disable this feature via a policy, many small businesses that do not operate cloud administration would likely overlook this, the reader wrote. Is this an issue for you? And have relevant group policies been set?
What exactly is this about?
The reader was prompted to write by the following tweet, which refers to the article Microsoft introduces huge security risk in OneDrive from mid-May 2025.
It states that Microsoft is introducing a new OneDrive feature that synchronizes data from personal accounts with business accounts. The feature, officially named "Prompt to Add Personal Account to OneDrive Sync," allows security policies to be circumvented.
The author of the article fears that this could lead to business data falling into the wrong hands. The article states that Microsoft plans to activate the feature in June 2025 (which is probably not true, as the rollout did not take place until July 2025).
The feature in question detects private OneDrive accounts on business devices using OneDrive for Business. Users then receive a notification to synchronize their OneDrive files. If users accept the notification, their files are automatically synchronized with their business OneDrive for Business environment without any additional configuration, according to the article.
So when a user signs in with a personal Microsoft account on a business device, they receive a notification by default to link the account. They are responsible for granting permission. However, accepting the notification may seem convenient or easy if you are not aware of the risks, the article's author writes.
This is what Microsoft says about the feature
Microsoft published the details in the Microsoft 365 Roadmap under the title OneDrive: Prompt for permitted users to sign in to OneDrive app with personal Microsoft account. The post was originally published on April 25, 2025, but was then modified on July 24, 2025. The screenshot below shows the current status, which indicates that the rollout did not start until July 2025.
Microsoft states that users have long been able to use personal Microsoft accounts with the OneDrive app on the company's Windows devices (exception: this has been restricted by administrator policies).
This new OneDrive feature, Prompt for permitted users, is only intended to display a prompt if a personal account is already logged in on the device. The user is then prompted to log in to the OneDrive app with this account as well.
However, administrators have the option of restricting the use of personal accounts on company devices via group policies. The use of personal OneDrive accounts on company devices could already be disabled with the DisablePersonalSync policy, so that users do not see the above-mentioned prompt.
Administrators can also suppress this sign-in prompt using the DisableNewAccountDetection policy. The relevant OneDrive policies can be found on this Microsoft Support page.
