OneDrive Admin Checklist: web upload opens the wrong tenant for Chrome users

When Chrome users click the web upload button in OneDrive, they sometimes land on the wrong Microsoft 365 tenant. Instead of their company login page, they see a personal account or a different organization. This happens because Chrome caches authentication cookies and redirects based on the last active session. This article explains the root cause, provides a step-by-step checklist for administrators to prevent the issue, and covers related failures and their fixes.

Why Chrome Users See the Wrong Tenant on OneDrive Web Upload

The OneDrive web upload button uses the Microsoft Online sign-in system. When a user clicks the button, Chrome sends a request to login.microsoftonline.com. If the browser has cached authentication cookies from a previous session with a different tenant, Microsoft identity platform redirects the user to that tenant instead of the company tenant. This happens because Chrome does not automatically clear cookies between sessions. The issue is more common when users have multiple Microsoft accounts, such as a personal Outlook.com account and a work account, and they signed in to the wrong account first.

Another contributing factor is the tenant ID mismatch. When an organization uses a custom domain that is also registered with another tenant, the authentication flow can pick the wrong tenant. This is rare but occurs when DNS settings are misconfigured or when Azure AD tenant restrictions are not enforced.

How Cookie Caching Causes the Redirect

Chrome stores cookies per site. When a user signs in to a personal OneDrive account on login.microsoftonline.com, Chrome saves the session cookie for that site. Later, when the same user clicks the web upload button on the company SharePoint or OneDrive page, Chrome sends the personal session cookie. Microsoft identity platform sees the valid cookie and signs the user in to the personal tenant. The user never sees a login prompt because the cookie is still fresh. This is not a bug; it is expected browser behavior that administrators must manage.

Administrator Checklist to Prevent Wrong Tenant Redirects

Use this checklist to configure your Microsoft 365 tenant and Chrome browser settings. Complete each step in order.

1. Restrict external sharing in OneDrive admin center
   Go to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Org settings > Services > OneDrive > Sharing. Set the external sharing slider to Only people in your organization. This prevents users from accidentally signing in to an external tenant when they click the web upload button. Click Save.
2. Enforce tenant restrictions in Azure AD
   Open the Azure AD admin portal at entra.microsoft.com. Go to Enterprise applications > Microsoft Office 365 > Properties. Set Assignment Required to Yes. Then go to Conditional Access > Policies > Create new policy. Name it Tenant Restriction for OneDrive. Under Assignments, select All users. Under Cloud apps, select Office 365. Under Access controls, select Grant and check Require device to be marked as compliant. Under Session, check Use app enforced restrictions. Set the policy to On and click Create. This forces Chrome to verify the tenant ID before allowing sign-in.
3. Configure Chrome group policy to clear cookies on exit
   If your organization manages Chrome via Group Policy, download the Chrome ADM templates from google.com/chrome. Open the Group Policy Management Console. Go to Computer Configuration > Administrative Templates > Google Chrome > Content settings. Enable the policy Clear cookies and site data on browser shutdown. Set the value to Enabled. Also enable the policy Allow or block cookies and set it to Block third-party cookies. Apply the policy to all user computers. This forces Chrome to remove authentication cookies after each session, preventing tenant cache issues.
4. Configure multi-tenant app consent policy
   In Azure AD, go to Enterprise applications > Consent and permissions > User consent settings. Set the user consent policy to Do not allow user consent. Under Admin consent requests, select Allow admin consent for all users. This prevents users from granting apps access to a different tenant. Click Save.
5. Enable Azure AD Identity Protection for sign-in risk
   In Azure AD, go to Security > Identity Protection > MFA registration policy. Set the policy to On and assign it to All users. Under User risk policy, set it to On and select Medium and above. This forces Chrome users to pass multi-factor authentication when signing in from an unrecognized device or location, reducing the chance of landing on the wrong tenant.
6. Communicate the fix to Chrome users
   Send an email or post an announcement explaining that users must clear their browser cookies for login.microsoftonline.com if they see the wrong tenant. Include the steps: Open Chrome, click the three-dot menu, go to Settings > Privacy and security > Clear browsing data. Select All time, check Cookies and other site data, and click Clear data. Then restart Chrome and try the web upload again.

If OneDrive Web Upload Still Opens the Wrong Tenant

Chrome users see a personal Microsoft account instead of work account

This is the most common symptom. The user clicks Upload on the company OneDrive page, but the browser redirects to login.live.com or a personal OneDrive interface. The fix is to clear Chrome cookies as described in step 6. If the issue persists, check if the user has a personal Microsoft account that is the default sign-in account in Chrome. Instruct the user to sign out of all accounts: click the profile icon in Chrome, click Sign out. Then sign in only to the work account.

Web upload button is grayed out for Chrome users

This is not a tenant redirect issue but a browser compatibility problem. OneDrive web upload requires modern JavaScript and fails if Chrome extensions block scripts. Ask the user to disable ad blockers or script blockers for the OneDrive domain. Go to Chrome > Settings > Extensions, disable each extension one by one, and test the upload button. If the button works after disabling an extension, keep that extension disabled for the OneDrive site.

Chrome users get an error message: “You don’t have access to this tenant”

This error appears when Azure AD tenant restrictions are enforced but the user’s browser is sending a cookie from a blocked tenant. The user must clear cookies and sign in again. If the error persists, the user may have a conflicting guest account in the wrong tenant. Remove the guest account: go to Azure AD > Users > External users, find the user, and click Delete. Then ask the user to sign in again.

OneDrive Web Upload Tenant Behavior: Cookies vs Tenant Restrictions

Item	Browser Cookie Caching	Azure AD Tenant Restrictions
What it controls	Which session token Chrome sends on authentication requests	Which tenants are allowed to issue tokens for your organization
How it causes wrong tenant	Chrome sends a cached personal session token instead of the work token	If not configured, Chrome can accept tokens from any tenant
Who configures it	User clears cookies; admin can enforce Chrome policy	Admin sets Conditional Access policy in Azure AD
Effectiveness	Works only after cookies are cleared manually	Blocks redirect to wrong tenant regardless of cookies
Limitation	Does not prevent future caching	Requires Azure AD Premium P1 license

Cookie caching is the immediate cause of the wrong tenant redirect. Azure AD tenant restrictions are the permanent solution because they block the redirect at the authentication level. Use both together for full protection.

After completing this checklist, Chrome users will see the correct tenant when they click the OneDrive web upload button. Test the fix by clearing cookies on a test machine and verifying that the upload button redirects to your company login page. For ongoing prevention, set a reminder to review Azure AD tenant restriction policies every quarter. The most effective long-term approach is to combine Chrome group policy for cookie clearing with Azure AD Conditional Access tenant restrictions.