Skip to main content

OneDrive Personal Sync Prevention

Audience: Platform Engineering, security administrators

Purpose: Prevent personal OneDrive account sync to mitigate data exfiltration risk

Overview

This procedure prevents Microsoft from automatically syncing detected personal OneDrive accounts on University-managed Windows devices (Microsoft 365 Roadmap ID 490064). Implementation mitigates data exfiltration risk and ensures corporate data remains within controlled environments.

Key Policies

PolicyPurposeEffect
DisableNewAccountDetectionSuppresses prompts to sync personal accountsRecommended minimal impact
DisablePersonalSyncBlocks personal account synchronizationOptional - strict control
AllowTenantListRestricts sync to specified tenant IDsOptional - tenant enforcement
Recommended Approach

Use DisableNewAccountDetection for minimal user impact. Add DisablePersonalSync or AllowTenantList only if stricter controls are required.

Prerequisites

RequirementDetails
GPO KnowledgeActive Directory Group Policy Management
Intune AccessMicrosoft Intune admin center
Admin PrivilegesGPO and/or Intune configuration rights
Tenant IDYour Microsoft 365 Tenant ID

Configuration via Intune

Hides the prompt to sync personal accounts without blocking manual addition.

  1. Navigate to Devices → Windows → Configuration profiles
  2. Click + Create profile
    • Platform: Windows 10 and later
    • Profile type: Templates → Custom
  3. Add OMA-URI setting:
SettingValue
NameSuppress OneDrive Personal Account Prompt
OMA-URI./Device/Vendor/MSFT/Policy/Config/OneDrive~Policy~OneDriveNGSC/DisableNewAccountDetection
Data typeInteger
Value1
  1. Assign to Windows device groups
  2. Click Create

Result: Users won't see prompts to add personal accounts but can still add manually if desired.

Option B: Strict Prevention (Settings Catalog)

For stricter control, use the Settings Catalog:

  1. Navigate to Devices → Windows → Configuration profiles
  2. Click + Create profile
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  3. Add settings as needed:

Prevent Personal Sync:

  • Path: Administrative Templates > OneDrive
  • Setting: "Prevent users from syncing personal OneDrive accounts (User)"
  • Effect: Blocks all personal accounts

Tenant Allow List:

  • Path: Administrative Templates > OneDrive
  • Setting: "Allow syncing OneDrive accounts for only specific organizations (Device)"
  • Effect: Only allows specified tenant IDs
  1. Configure and assign to device groups

Configuration via Group Policy

Step 1: Update ADMX Templates

  1. Locate OneDrive templates:
    • Per-user: %localappdata%\Microsoft\OneDrive\[BuildNumber]\adm\
    • Per-machine: %ProgramFiles%\Microsoft OneDrive\[BuildNumber]\adm\
  2. Copy OneDrive.admx to central store:
    • \\domain\SYSVOL\domain\Policies\PolicyDefinitions
  3. Copy OneDrive.adml to language folder:
    • \\domain\SYSVOL\domain\Policies\PolicyDefinitions\en-us

Step 2: Configure Policies

Open Group Policy Management (gpmc.msc) and edit your GPO:

Hide Personal Sync Messages (Recommended):

  • Path: Computer Configuration > Administrative Templates > OneDrive
  • Setting: "Hide the messages to sync Consumer OneDrive files"
  • Value: Enabled

Prevent Personal Sync (Optional):

  • Path: User Configuration > Administrative Templates > OneDrive
  • Setting: "Prevent users from syncing personal OneDrive accounts"
  • Value: Enabled

Tenant Allow List (Optional):

  • Path: Computer Configuration > Administrative Templates > OneDrive
  • Setting: "Allow syncing OneDrive accounts for only specific organizations"
  • Value: Enabled, add your Tenant ID(s)

Step 3: Apply and Verify

  1. Run gpupdate /force on test device
  2. Restart OneDrive sync client or reboot
  3. Attempt to add a personal account to verify blocking

Verification

TestExpected Result
Personal account promptShould not appear (DisableNewAccountDetection)
Manual personal account addShould fail (if DisablePersonalSync enabled)
Corporate account syncShould work normally
Tenant-restricted syncOnly allowed tenant IDs work (if AllowTenantList enabled)