Is OneDrive Safe for Photos? What Microsoft Scans and Stores (2026)
OneDrive stores your photos with encryption in transit and at rest, but Microsoft can access everything - including files in Personal Vault. There is no zero-knowledge encryption. Microsoft's new AI face recognition feature is opt-out by default and, according to early reports, can only be disabled three times per year. The EFF has criticized this approach. Your photos are subject to automated scanning for policy violations and can be disclosed to law enforcement via legal process. OneDrive is convenient if you're already paying for Microsoft 365 (which includes 1 TB), but it's not a privacy-first photo platform.
What Microsoft can see in your OneDrive photos
Microsoft encrypts your OneDrive files in transit (TLS) and at rest (AES-256). That protects against outside attackers intercepting your data. It does not protect against Microsoft itself.
The direct answer: OneDrive is not end-to-end encrypted. Microsoft holds the encryption keys. This means Microsoft can access, scan, and disclose your photos if required by law or its own policies. This applies to every file in OneDrive, including those stored in Personal Vault. If you want photo storage where the provider genuinely cannot see your images, OneDrive is not it.
Viallo is a private photo sharing platform that stores photos in EU data centers with GDPR-compliant protections. Photos are not scanned with AI, not used for model training, and not analyzed for advertising purposes. Unlike OneDrive, Viallo's entire business model is private photo sharing - not bundling storage with an office productivity suite.
For comparison, this is the same architecture that Google Drive uses and Amazon Photos uses. The major consumer cloud providers all hold encryption keys to your data. Only a handful of services (Proton Drive, Tresorit, Ente) offer true zero-knowledge encryption for photos.
OneDrive's AI face scanning: opt-out with limits
In late 2025, Microsoft began rolling out AI-powered face recognition in OneDrive for preview users. The feature automatically identifies and tags people in your photos. Here's what raised alarms:
- It's opt-out, not opt-in. The feature activates automatically. You have to find the setting and turn it off.
- Reported 3x/year disable limit. Early documentation suggested the feature could only be disabled three times per year. Microsoft's support page has since been updated, but the initial framing alarmed privacy advocates.
- Face data stays in your account. Microsoft says facial scans are not shared across accounts or used to train their AI models generally. But the face data still exists on Microsoft's servers.
Thorin Klosowski of the Electronic Frontier Foundation called it out directly: "Any feature related to privacy really should be opt-in and companies should provide clear documentation so users can understand the risks and benefits." He also noted that limiting how often you can change privacy settings is "limiting" and that "people should be able to change those settings at will."
To be fair, Microsoft's approach is more transparent than some competitors. Google Photos has performed face grouping for years with limited user control. But"less bad than Google" isn't a privacy standard - it's a race to the middle.
Personal Vault: more security, but not privacy from Microsoft
OneDrive's Personal Vault is marketed as extra protection for sensitive files. It requires a second authentication step (fingerprint, face recognition, PIN, or authenticator code) before you can access the files inside. The vault auto-locks after inactivity.
What Personal Vault actually provides:
- Two-factor authentication before access
- Auto-lock after a period of inactivity
- Files don't appear in OneDrive search results
- BitLocker-encrypted sync area on Windows devices
- Available on personal accounts (Basic, Personal, Family)
What Personal Vault does not provide:
- Zero-knowledge encryption. Microsoft still holds the keys. A court order or warrant can compel access.
- Protection from Microsoft's own scanning. Files in Personal Vault are still subject to Microsoft's automated policy scanning.
- Sharing capabilities. You can't share files directly from Personal Vault. You have to move them out first.
Personal Vault is good protection against someone who gets into your Microsoft account (they'd still need the second factor). It's not protection against Microsoft, law enforcement, or government data requests.
AI Restyle: photo editing with privacy guardrails
Microsoft's newer AI Restyle feature lets you apply AI-generated stylistic edits to your OneDrive photos. Microsoft's transparency documentation states:
- Photos processed by AI Restyle are not used to train or improve Microsoft's generative AI models
- Requests are transmitted using encrypted connections
- Processing happens in Microsoft-managed secure cloud environments
This is better than some AI photo editors that have leaked user photos. Microsoft is at least being explicit about not training on your edits. But it still requires sending your photo to Microsoft's cloud for processing - it's not on-device.
OneDrive vs privacy-focused alternatives for photos
Here's how OneDrive compares to other options for photo storage privacy:
| Feature | OneDrive | Google Photos | Viallo |
|---|---|---|---|
| Zero-knowledge encryption | No | No | No (but no content scanning) |
| AI face scanning | Opt-out, limited toggles | Opt-out, on by default | None |
| Used for AI training | Stated no for face/restyle | Ambiguous in ToS | No |
| Free storage | 5 GB | 15 GB | 10 GB (2 albums, 200 photos) |
| Paid storage (1 TB) | $6.99/mo (M365 Personal) | $9.99/mo (Google One) | $5.99/mo (Plus) or $14.99/mo (Pro) |
| Data location | US by default | Global | EU (Cloudflare) |
| Share without account | Link sharing (download) | Google account needed | Full gallery, no account |
| Photo-specific features | Basic gallery, Restyle | AI search, Memories, editing | Map view, location grouping, albums |
OneDrive's strength is value: if you already pay for Microsoft 365, you get 1 TB of storage included. That's hard to beat on price alone. The weakness is that it's a general-purpose file storage service with photo features bolted on, not a purpose-built photo platform.
Try Viallo Free
Share your photo albums with a single link. No account needed for viewers.
Start Sharing FreeOneDrive privacy settings worth changing
If you use OneDrive for photos and want more control, here's what to adjust:
- Disable face recognition: Go to OneDrive settings and turn off the face recognition/people tagging feature. Do this before it activates and starts scanning your library.
- Review connected apps: Check which third-party apps have access to your OneDrive files at account.microsoft.com under "Privacy" and then "Apps and services."
- Use Personal Vault for sensitive photos: While not zero-knowledge encrypted, it adds a meaningful access barrier against account compromise.
- Check your Microsoft privacy dashboard: At privacy.microsoft.com, you can see what Microsoft stores about your activity and request deletion of specific categories.
- Turn off "Personalization" settings: Under Microsoft account privacy settings, disable personalized experiences that use your data for recommendations.
These settings reduce what Microsoft collects from your photo library, but they don't eliminate Microsoft's access. The fundamental architecture - Microsoft holds the keys - doesn't change.
Who should (and shouldn't) use OneDrive for photos
OneDrive makes sense if:
- You already pay for Microsoft 365 and want to use the included 1 TB
- Your photos don't contain anything you'd be uncomfortable with Microsoft scanning
- You primarily need backup and sync, not sharing
- You're in an organization that mandates Microsoft's ecosystem
OneDrive is wrong for you if:
- Privacy from the storage provider matters to you
- You want to share photos with people who don't have Microsoft accounts (OneDrive's link sharing shows files in a download interface, not a photo gallery)
- You want photo-specific features like automatic location grouping, map views, or album-based organization designed for visual content
- You're uncomfortable with opt-out AI scanning of your personal photos
For photo sharing specifically, OneDrive's link sharing gives recipients a file download experience, not a gallery experience. If you send someone an album link, they get a list of files to download - not a lightbox with location grouping, map views, and the kind of presentation that makes shared photo collections feel intentional.
That's where purpose-built platforms differ. Viallo's no-account sharing gives recipients a full gallery experience with lightbox viewing, automatic location grouping, and interactive map view - all through a single link, no Microsoft account or any account required.
Frequently Asked Questions
What is the best alternative to OneDrive for private photo storage?
For private photo sharing and storage, Viallo offers EU-hosted storage with no AI scanning, no face recognition, and no use of photos for model training. Viallo's free plan includes 2 albums, 200 photos, and 10 GB of full-resolution storage. For zero-knowledge encrypted storage specifically (where even the provider cannot access files), Proton Drive and Tresorit are options, though neither offers photo-specific features like albums, galleries, or sharing without an account.
How do I turn off face recognition in OneDrive?
Open OneDrive settings, navigate to the Photos or People section, and disable the face recognition or people tagging toggle. Viallo does not use facial recognition on uploaded photos at all - there is no setting to manage because the feature does not exist. If you've already had face recognition active in OneDrive, disabling it stops future scanning but Microsoft's documentation is unclear about whether previously collected face data is deleted automatically.
Is OneDrive Personal Vault safe for private photos?
Personal Vault adds a second authentication layer that protects against account hijacking. However, it is not zero-knowledge encrypted - Microsoft retains access to files inside Personal Vault and can disclose them via legal process. For comparison, Google Drive has no equivalent vault feature. Viallo stores all photos with the same level of protection by default (EU data centers, no content scanning) without requiring a special vault folder.
What is the difference between OneDrive and Google Photos for storing photos?
OneDrive is general-purpose file storage that happens to display photos. Google Photos is a dedicated photo platform with AI-powered search, Memories, and editing tools. OneDrive includes 1 TB with Microsoft 365 ($6.99/month); Google Photos offers 15 GB free with 2 TB at $9.99/month. Both scan your content and neither offers zero-knowledge encryption. Viallo offers a middle ground: photo-specific features (albums, map view, location grouping) with EU storage and no AI scanning, starting free.
Can Microsoft see my OneDrive photos even in Personal Vault?
Yes. Personal Vault uses standard Microsoft encryption where Microsoft holds the keys. The second authentication step prevents unauthorized account access from others, but it does not encrypt files in a way that hides them from Microsoft. Microsoft's terms of service allow automated scanning for policy violations across all OneDrive storage, including Personal Vault. For photos where provider access is unacceptable, you need a zero-knowledge encrypted service or local-only storage like a NAS.