Notifications
Clear all
Topic starter
11/05/2026 8:59 pm
TL;DR: Entro Labs says 1 in 5 exposed enterprise secrets originated in SharePoint, driven largely by OneDrive auto-sync that moves local Desktop and Documents files into cloud libraries, widening access far beyond the file owner. That pattern turns convenience features into identity and secrets governance problems, not just storage issues, according to Entro Labs.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- More than 50% of SharePoint-hosted secrets came from .xlsx workbooks, tracking sheets, logs, or developer scratchpads.
Questions worth separating out
Q: How should organisations handle secrets stored in SharePoint and OneDrive?
A: Treat them as governed secret stores, not informal file shares.
Q: Why do synced desktop folders create an NHI governance problem?
A: Because they move data from a local trust boundary into a cloud access model where multiple identities can reach it.
Q: What is the difference between source control leakage and SharePoint secret exposure?
A: Source control leakage usually affects code repositories and development workflows, where secrets tools are more common.
Practitioner guidance
- Audit default sync paths Map which endpoints automatically sync Desktop, Documents, and other known folders into SharePoint Online, then decide which device groups should not inherit that behaviour.
- Scan collaboration stores for secrets Extend secret discovery to SharePoint libraries, OneDrive sites, and Teams-backed file stores.
- Review admin access to synced content Check who can elevate to site collection administrator, who can search tenant content, and which service accounts can enumerate files across user sites.
It affects how organisations define the boundary between endpoint convenience and tenant-level credential risk, especially when Office collaboration tools are part of the daily workflow?
👉 Read Entro Labs' analysis of SharePoint auto-sync and secret exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
11/05/2026 8:59 pm
A few things worth adding from our research at NHI Mgmt Group.
SharePoint sync is now a secrets governance issue, not a storage convenience feature. When local files are silently promoted into a tenant-wide collaboration layer, the organisation inherits a broader exposure model than most endpoint policies assume. The important control question becomes where secrets are allowed to exist, not just how they are stored. Practitioners should treat synced file stores as part of the NHI perimeter.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: Should security teams disable OneDrive auto-sync by default?
A: They should disable or restrict it where the business does not need continuous folder backup. If the organisation keeps the feature, it should be paired with policy controls, user awareness, and secret scanning. The decision depends on risk tolerance, but default enablement without governance is a poor control posture for sensitive environments.
👉 Read our full editorial: SharePoint auto-sync can turn local files into tenant-wide secret exposure
