BIO 09.02.05 ISO A.9.4.1

OneDrive: Block Personal Account Sign-in

📅 2025-10-30

•

⏱️ 2 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Block personal OneDrive account sign-in op corporate devices - voorkomt data exfiltration via private OneDrive.

Aanbeveling

IMPLEMENT

Risico zonder

High

Risk Score

8/10

Implementatie

3u (tech: 1u)

Van toepassing op:

✓ OneDrive voor Business

Personal OneDrive is gegevensverlies risk: Shadow IT (unmanaged cloud opslag), No DLP/compliance, Data exfiltration: Copy corporate files → personal OneDrive → ongecontroleerde access. Attack: malicious insider, ransomware backup evasion.

Implementatie

Block personal OneDrive: OneDrive sync client: Business account only, Personal accounts: blocked, User prompt: 'Only work accounts allowed'.

Vereisten

OneDrive sync client
Intune of GPO

Implementatie

Gebruik PowerShell-script personal-account-signin-blocked.ps1 (functie Invoke-Implementation) – Implementeren.

Intune Settings Catalog: OneDrive → Prevent users van syncing personal OneDrive accounts: ingeschakeld.

Compliance en Auditing

AVG Art. 32 (gegevensbescherming), BIO 09.02 (Toegangscontrole en authenticatie), ISO 27001 A.9.4.1, NIS2 Art. 21.

Monitoring

Gebruik PowerShell-script personal-account-signin-blocked.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script personal-account-signin-blocked.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

BIO: 09.02.05 -
ISO 27001:2022: A.9.4.1 -
NIS2: Artikel -

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#

================================================================================
POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================

.SYNOPSIS
    OneDrive: Block Personal Account Sign-in

.DESCRIPTION
    Implementeert, monitort en herstelt: OneDrive: Block Personal Account Sign-in

.NOTES
    Filename:       personal-account-signin-blocked.ps1
    Author:         Nederlandse Baseline voor Veilige Cloud
    Version:        1.0
    Workload:       office
    Category:       onedrive
#>


#Requires -Version 5.1


[CmdletBinding()]
param()

$ErrorActionPreference = 'Stop'

function Invoke-Implementation {
    <#

    .SYNOPSIS
        Implementeert de configuratie
    #>

    [CmdletBinding()]
    param()
    
    Write-Host "[INFO] Invoke-Implementation - OneDrive: Block Personal Account Sign-in" -ForegroundColor Cyan
    Invoke-Remediation
}

function Invoke-Monitoring {
    <#

    .SYNOPSIS
        Controleert de huidige configuratie status
    #>

    [CmdletBinding()]
    param()
    
    try {
        Write-Host "
========================================" -ForegroundColor Cyan
        Write-Host "OneDrive: Block Personal Account Sign-in - Monitoring" -ForegroundColor Cyan
        Write-Host "========================================" -ForegroundColor Cyan
        
        # TODO: Implementeer monitoring logica voor OneDrive: Block Personal Account Sign-in

        Write-Host "[INFO] Monitoring check voor OneDrive: Block Personal Account Sign-in" -ForegroundColor Yellow
        Write-Host "[OK] Monitoring check completed" -ForegroundColor Green
    }
    catch {
        Write-Error "Monitoring failed: $_"
        throw
    }
}

function Invoke-Remediation {
    <#

    .SYNOPSIS
        Herstelt de configuratie naar de gewenste staat
    #>

    [CmdletBinding()]
    param()
    
    try {
        Write-Host "
========================================" -ForegroundColor Cyan
        Write-Host "OneDrive: Block Personal Account Sign-in - Remediation" -ForegroundColor Cyan
        Write-Host "========================================" -ForegroundColor Cyan
        
        # TODO: Implementeer remediation logica voor OneDrive: Block Personal Account Sign-in

        Write-Host "[INFO] Remediation voor OneDrive: Block Personal Account Sign-in" -ForegroundColor Yellow
        Write-Host "[OK] Remediation completed" -ForegroundColor Green
    }
    catch {
        Write-Error "Remediation failed: $_"
        throw
    }
}

Risico zonder implementatie

High: Hoog: Personal OneDrive is data exfiltration/shadow IT.

Management Samenvatting

Blokkeer personal OneDrive op corporate devices. Prevent gegevensverlies. Implementatie: 1-3 uur.

Implementatietijd: 3 uur
FTE required: 0.01 FTE

OneDrive: Block Personal Account Sign-in

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance en Auditing

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel