OneDrive: Prompt for permitted users to sign in to OneDrive app with personal Microsoft account

🚨 The Signal: OneDrive will prompt users to sign in with personal accounts on corporate devices if already signed in elsewhere. This increases the risk of unsanctioned data exfiltration and shadow IT, requiring admin review of existing policies.

The Impact

End-users are prompted, increasing data exfiltration risk and shadow IT for the organisation.

• End-users: May inadvertently store personal data on corporate devices.
• Security Teams: Increased risk of data exfiltration to personal cloud storage.
• Admins: Need to verify and enforce policies to prevent personal account usage.
• Compliance Teams: Potential non-compliance with data separation requirements.

The Action

1. Verify existing 'DisablePersonalSync' policy is enabled via Group Policy or Intune.
2. If 'DisablePersonalSync' is not enabled, enable 'DisableNewAccountDetection' via Group Policy or Intune.
3. Communicate updated acceptable use policies regarding personal cloud storage to users.
4. Review data loss prevention (DLP) policies to detect and block personal OneDrive sync.

Domain: M365-Apps · Impact: high · Workload: OneDrive