Beware any businesses, schools and not for profit organisations using Microsoft OneDrive. An imminent new feature in Microsoft 365 is a potential security risk that could lead to data leaks from your organisation. Microsoft 365 administrators need to act fast.

This new feature is due to start rolling out this month (May) to Microsoft 365 Business subscribers on Windows PCs. It will prompt users to add personal OneDrive accounts on their Work PC. It is being pitched as a convenient feature so that all your personal and business files are available in one place. However, if the user accepts the prompt then staff are now free to copy business files to their personal OneDrive, unless the organisation's Microsoft 365 administrator has explicitly forbidden this through appropriate settings.

This new feature leaves organisations at risk of sensitive corporate data being unintentionally or maliciously transferred to personal, unmanaged environments.

Even before this feature has rolled out, cybersecurity experts around the globe are concerned that the feature does not adhere to good cybersecurity practice, and will violate the majority of corporate policies. I.e. ensuring that work and home accounts and data are kept very separate.

There are currently cries to Microsoft from the cybersecurity community to stop this feature being rolled out. Regardless, it is strongly recommended that organisations proactively block this feature asap.

RECOMMENDED IMMEDIATE ACTION

Block this new feature immediately before it even rolls out (starting sometime this month). Instruct your Microsoft 365 administrator to do this through the following group policy settings:

DisablePersonalSync – to block users from syncing personal OneDrive accounts.

DisableNewAccountDetection – to block the pop-up prompt. Note however, this just hides the prompt. Staff who know what they are doing can still manually add a personal OneDrive account.

#cybersecurity #cyber #SMB #microsoft #onedrive