There’s a discussion that nearly every parent of a teenager has had before. I call it the “they’re going to do it anyway” defense, and it goes like this: “I let my underage kids drink at home because then at least I know where they are and that they’re safe.” There are other variations for other kinds of teen behavior, including mixed-gender sleepovers. All share the same basic idea that, to reduce risk and harm, it’s better to supervise certain activities that you think will happen whether you supervise them or not.
It turns out you can apply this same philosophy to what is sometimes called “shadow IT.” Users are going to find ways to solve the technical problems that they have, and to get the capability they need to do their work. If an organization gives users the correct tools to do a job, they won’t have to improvise. For example, if users have a robust and reliable way to store and share files, then they will not go out and sign up for their own Dropbox or Box accounts. (For a good discussion over a beer, ask your favorite peers whether or not they actually believe that this is completely true!)
Microsoft seems to be somewhat partial to this argument because they recently announced a feature that allows individual users to sign into their personal OneDrive accounts on a managed device and have that content appear alongside their managed OneDrive accounts. Is this preventing shadow IT, or is it more like giving beer to teenagers?
Account Types in OneDrive
The long history that led us from Skydrive, Windows Live Mesh, Groove, and so on has led to today’s situation: the OneDrive client natively understands how to sign in to both personal Microsoft accounts and Microsoft 365 accounts. Both account types look and behave the same way in the client: your file and directory structure is synchronized between the cloud and the local device, so you can browse the files and folders locally. The Office desktop applications are aware of the special nature of OneDrive sync so they can track file upload and download operations, support offline use, work properly with auto-save, and so on, for both personal and corporate accounts.
Blocking Personal Sync
Today, you can block a Windows device from signing into a personal OneDrive account by applying the DisablePersonalSync registry key, which is available from a Group Policy object or by directly setting HKCU\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync to a DWORD value of 00000001. (Of course, you can also use Intune’s ADMX import feature to import that GPO template and apply the setting to computers managed via Intune.) If you haven’t already applied that policy to your Windows machines, perhaps you should.
What the New Feature Does
The new feature (see MC626577), which Microsoft is calling “Prompt to Add Personal Account to OneDrive Sync,” is only implemented on Windows for now. If the user’s signed into a device with their personal Microsoft account (MSA), and they’re actively using a OneDrive from a corporate account, then Windows will “helpfully” [sic] offer to also sync their personal OneDrive. That’s the good news: users will get a prompt, and perhaps some of them will decline. The bad news is, many of them will not, which means now you have users’ personal content synced with your organizational devices. On top of that, users may be able to copy content between their personal and work OneDrives. I say “may” because that depends on whether you have applied information protection restrictions.
Unfortunately, Microsoft’s current plan is to roll this setting out to all worldwide users starting in June 2025, with no way for administrators to opt out at the tenant level.
Blocking Personal Account Prompting
There are several mitigations, though. One is that you can pre-emptively apply the DisablePersonalSync policy described earlier. Microsoft hasn’t said whether or not that policy will block the new prompt, but it will definitely prevent the OneDrive client from synchronizing with a personal account.
Another is to block the prompt from appearing with the DisableNewAccountDetection policy, which is neighbors with DisablePersonalSync. If you only apply this setting, it will suppress the prompt but still allow users to synchronize their personal OneDrive accounts. If you want to block both the prompt and users’ ability to sync, you need to apply both policies.
Keep in mind that, if you’re providing managed devices to users who signed in with their corporate Entra ID account, their ability to sign in with an MSA might already be limited. If they can’t sign in at all with their MSA, the prompt will never appear. Therefore, deploying only managed devices instead of allowing BYOD is another potential way to mitigate this.
The reverse scenario is true too. Suppose you allow users to sign in to your M365 tenant from their own personal machines at home. In that case, a user who’s signed into her home PC with her MSA, and then sets up her corporate OneDrive, will see the prompt. The best solution there is probably to use conditional access policies to prohibit user sign-in’s to OneDrive from unmanaged machines.
Measure Twice, Mitigate Once
Unfortunately, many people reading this won’t have good data on what their users are doing today: how many users are signing in from unmanaged machines, what state the DisablePersonalSync key is in on those machines, and so on. Imposing a strong security baseline on all the devices that touch your company data is difficult and annoying, and it can be expensive in terms of labor to get it done, but it’s necessary to prevent exactly these kinds of knowledge gaps. Microsoft is not going to stop adding new “features” like this to the service because they seek to relentlessly increase user engagement and average revenue per user (ARPU). If we can’t depend on them not to do stuff like this, the burden falls to us to control our networks and devices to limit the negative impact.
