SharePoint auto-sync can turn local files into tenant-wide secret exposure

TL;DR: Entro Labs says 1 in 5 exposed enterprise secrets originated in SharePoint, driven largely by OneDrive auto-sync that moves local Desktop and Documents files into cloud libraries, widening access far beyond the file owner. That pattern turns convenience features into identity and secrets governance problems, not just storage issues, according to Entro Labs.

At a glance

What this is: This article argues that default OneDrive auto-sync can move local files into SharePoint and expose secrets across the tenant.

Why it matters: It matters because NHI and IAM teams often miss collaboration storage as a secrets path, even though synced files can expand blast radius after a single account compromise.

By the numbers:

• More than 50% of SharePoint-hosted secrets came from .xlsx workbooks, tracking sheets, logs, or developer scratchpads.

👉 Read Entro Labs' analysis of SharePoint auto-sync and secret exposure

Context

SharePoint auto-sync becomes an identity and secrets governance problem when files that were meant to stay local are copied into cloud libraries by default. In practice, the issue is not just storage drift. It is that a user workstation can become a route into tenant-wide access once Desktop and Documents are synced into SharePoint Online.

For NHI and IAM practitioners, that changes the control point. Secrets scanning, offboarding, and privileged access reviews have to cover collaboration platforms and synced endpoints, not only source code and vaults. The behaviour described in this article is increasingly normal in Microsoft 365 environments, which makes it more dangerous, not less.

Key questions

Q: How should organisations handle secrets stored in SharePoint and OneDrive?

A: Treat them as governed secret stores, not informal file shares. Apply secrets discovery, access review, and lifecycle controls to collaboration platforms, then restrict automatic folder sync where it is not required. The goal is to prevent local convenience features from turning into tenant-wide exposure paths for tokens, certificates, and configuration files.

Q: Why do synced desktop folders create an NHI governance problem?

A: Because they move data from a local trust boundary into a cloud access model where multiple identities can reach it. A file that was safe enough for one workstation can become searchable and reusable across an organisation after sync. That is an identity governance issue because access semantics change without the user intentionally changing them.

Q: What is the difference between source control leakage and SharePoint secret exposure?

A: Source control leakage usually affects code repositories and development workflows, where secrets tools are more common. SharePoint exposure extends into office files, notes, and collaboration content, which often escape scanning and persist under broader admin visibility. The second problem usually has a wider file-format surface and a less mature control stack.

Q: Should security teams disable OneDrive auto-sync by default?

A: They should disable or restrict it where the business does not need continuous folder backup. If the organisation keeps the feature, it should be paired with policy controls, user awareness, and secret scanning. The decision depends on risk tolerance, but default enablement without governance is a poor control posture for sensitive environments.

Technical breakdown

How OneDrive Known Folder Move turns endpoints into cloud data sources

Known Folder Move, or KFM, is the feature that automatically backs up Desktop, Documents, and sometimes Pictures from a Windows endpoint into OneDrive. In enterprise deployments, that content lands in SharePoint Online document libraries. That matters because the file changes from a local user asset into a cloud object governed by tenant permissions, admin access, and search. If a secret sits in a .env file or config file on the desktop, KFM can silently widen its exposure. The security failure is not a bypass. It is default convenience working exactly as designed, but against secrets hygiene.

Practical implication: Practical implication: teams need to decide where KFM is allowed, not assume local folders are safe by default.

Why synced files create a tenant-wide secrets discovery problem

Once a file is in SharePoint, it can be discovered through collaboration permissions, admin access, and tenant search. That creates a different exposure model from source control, where secrets tooling is often more mature. Files such as spreadsheets, text notes, scripts, and docs are especially risky because they are easy to create, share, and forget. In NHI terms, the problem is not just the secret itself. It is the identity path that makes the secret searchable, accessible, and reusable across multiple users or admins. That is why collaboration storage needs the same control discipline as code repositories.

Practical implication: Practical implication: extend secrets detection and access review into SharePoint, OneDrive, and similar collaboration stores.

How compromised identities expand the blast radius of auto-sync

If an attacker compromises a Microsoft 365 account or a tenant admin account, synced files become an immediate source of credential material. The article shows that a site administrator can gain direct access to a user’s synced content, which turns one stolen identity into access to many hidden secrets. That pattern is especially dangerous because the secret may have been created for a narrow local task, while the synced copy survives long after the original context changes. The underlying architecture is identity-rich and permission-heavy, so the blast radius is defined by access control, not by file intent.

Practical implication: Practical implication: treat synced endpoints as part of the non-human identity and secrets attack surface.

Threat narrative

Attacker objective: The attacker wants reusable secrets that unlock broader access than the original account compromise alone would provide.

1. Entry occurs through a compromised Microsoft 365 account or an over-privileged admin account that can reach synced SharePoint content.
2. Credential harvesting happens when the attacker searches synced files for tokens, .env files, configuration fragments, and certificate material.
3. Impact is tenant-wide secret exposure, enabling further access into workspaces, cloud services, and downstream applications.

Breaches seen in the wild

• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.
• Google Firebase misconfiguration breach — Firebase misconfigurations exposed 19.8M secrets across developer instances.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SharePoint sync is now a secrets governance issue, not a storage convenience feature. When local files are silently promoted into a tenant-wide collaboration layer, the organisation inherits a broader exposure model than most endpoint policies assume. The important control question becomes where secrets are allowed to exist, not just how they are stored. Practitioners should treat synced file stores as part of the NHI perimeter.

Ephemeral placement does not equal ephemeral risk. A token saved locally for a short-lived task can persist in synced cloud storage long after the task ends. That creates a form of identity blast radius, where access to one user account can reveal secrets that were never intended to leave the workstation. The correct response is lifecycle control across creation, storage, sync, and offboarding.

The named concept here is sync-to-secrets exposure. It describes the pattern where endpoint backup or folder-move features convert ordinary desktop files into discoverable secret repositories. This is distinct from code repository leakage because the file types are broader and the access paths are often governed by collaboration permissions rather than developer tooling. Security programs should map this as an identity and data path together.

Cloud collaboration platforms now sit inside the NHI threat model. The article shows why teams can no longer split secrets governance between development tooling and office productivity suites. Attackers will search whichever store gives them the shortest path to reusable credentials. That means the control plane must include scanning, access review, and policy decisions across file sync, sharing, and privileged admin actions.

The practical risk is operational, not theoretical. A user thinks they are saving a local file, while the platform quietly creates another copy with different access semantics. That mismatch between user intent and system behaviour is where many governance failures start. Practitioners should focus on removing unnecessary sync paths and on monitoring the locations where secrets actually accumulate.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• For a broader control framework, Ultimate Guide to NHIs connects lifecycle governance, visibility, and offboarding into one operating model.

What this signals

Sync-to-secrets exposure is becoming a hidden control failure across Microsoft 365 estates. The governance problem is not limited to file sharing. It affects how organisations define the boundary between endpoint convenience and tenant-level credential risk, especially when Office collaboration tools are part of the daily workflow.

A stronger control model now needs to assume that a secret can move outside its intended context without any deliberate exfiltration step. That is why file sync, access review, and offboarding belong in the same programme conversation. Organisations that already track lifecycle risk in the Ultimate Guide to NHIs should extend the same discipline to collaboration storage.

The programme implication is simple. If a security team can search code repositories but not SharePoint libraries, it is only seeing part of the secret surface. Mature NHI operations will treat synced document stores as governed identity-adjacent assets, with scanning and access controls that match the sensitivity of the credentials they contain.

For practitioners

• Audit default sync paths Map which endpoints automatically sync Desktop, Documents, and other known folders into SharePoint Online, then decide which device groups should not inherit that behaviour. Prioritise developer laptops, contractor devices, and shared workstations.
• Scan collaboration stores for secrets Extend secret discovery to SharePoint libraries, OneDrive sites, and Teams-backed file stores. Tune detection for .env files, spreadsheets, text notes, and certificate bundles because those formats repeatedly carry reusable credentials.
• Review admin access to synced content Check who can elevate to site collection administrator, who can search tenant content, and which service accounts can enumerate files across user sites. Limit standing access and document the approval path for emergency retrieval.
• Align offboarding with synced-file retention When users leave, confirm that synced files, cached copies, and inherited sharing permissions are revoked or reviewed. Offboarding should close the path between a departed identity and any lingering secrets in SharePoint.

Key takeaways

• Default file sync can turn local desktops into cloud secret repositories without the user noticing.
• The exposure is amplified by tenant search, admin visibility, and the persistence of synced copies after the original task ends.
• Security teams should extend secrets governance into collaboration platforms, not only code repositories and vaults.

Key terms

• Known Folder Move: Known Folder Move is a Windows and OneDrive feature that automatically redirects common user folders such as Desktop and Documents into cloud storage. In an enterprise setting, that can silently copy sensitive files into SharePoint-backed libraries and change the access model without the user making a conscious sharing decision.
• Sync-to-secrets exposure: Sync-to-secrets exposure is the pattern where endpoint backup or folder-move features place credentials, tokens, and configuration files into collaboration storage. The risk is not only accidental disclosure. It also creates a broader identity and admin access path that can make local secrets searchable across the tenant.
• Identity blast radius: Identity blast radius is the amount of access and data an attacker can reach after compromising one account or privileged identity. In NHI environments, it expands when a single credential is reused across systems or when synced file stores expose secrets that unlock other services and workloads.

What's in the full article

Entro Labs' full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step OneDrive KFM behaviour and the Windows defaults that trigger silent sync
• File-type examples and practical hunting patterns for secrets in SharePoint libraries
• Admin-console access paths that allow tenant-wide searches and site collection control
• Recommended policy settings for disabling or restricting auto-sync in enterprise environments

👉 The full Entro Labs post includes file-format findings, admin access examples, and policy recommendations

Deepen your knowledge

Secrets sprawl across collaboration platforms is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is dealing with synced desktop folders, SharePoint exposure, or offboarding gaps, this is a practical place to start.