Microsoft’s upcoming OneDrive update has triggered alarm bells across the IT and cybersecurity communities.
The update introduces a feature that, by default, prompts users to sync their personal and business OneDrive accounts on corporate devices – without any prior setup or approval. What’s worse is disabling this action isn’t simple; it requires IT administrators to manually hack group policies like DisableNewAccountDetection or DisablePersonalSync. In other words, it’s not something the average user can turn off – this fix needs a techie.
This change raises serious concerns for both individuals and organisations alike. For users, syncing a personal OneDrive account on a work machine could mean
unintentionally handing over personal and potentially sensitive and private individual information to their employer. For companies, it opens the door to massive data loss risks: employees can now effortlessly drag-and-drop sensitive corporate data from their business OneDrive to a personal account. Even worse, if undetonated malware is sitting in a personal OneDrive, it’s now potentially been introduced into the corporate network.
While Microsoft might have intended this integration to improve convenience in theory, in practice it instead creates a privacy nightmare, increases data exfiltration risk, and burdens IT teams with unnecessary complexity.
Rollout of this update starts in June 2025.
Seriously, Redmond – what are you smoking?