When iOS users tap the upload button in Safari or another browser and see a OneDrive sign-in page for the wrong Microsoft 365 tenant, file uploads fail or go to the wrong organization. This happens because iOS Safari and many third-party browsers cache the authentication state from a previous session, especially when a user has signed into multiple tenants. This article explains why Safari redirects to the wrong tenant and provides a checklist of admin and user-side fixes to ensure web uploads always target the correct OneDrive tenant.
Key Takeaways: Fixing iOS Web Upload to the Wrong OneDrive Tenant
- Safari > Settings > Safari > Clear History and Website Data: Removes cached authentication tokens that cause tenant redirection errors.
- Microsoft 365 admin center > Settings > Org settings > Security & privacy > Authentication methods: Configure tenant-wide session policies to limit token lifetime and prevent cross-tenant token reuse.
- Azure AD > Enterprise applications > Microsoft Office 365 > Single sign-on: Enforce IdP-initiated SSO with a tenant-specific domain to force the correct tenant on each authentication request.
Why Safari on iOS Redirects Web Uploads to the Wrong Tenant
When an iOS user taps the upload button on a website that integrates with OneDrive, Safari or the in-app browser opens a Microsoft authentication page. Safari stores authentication cookies and tokens in its shared data store. If the user has previously signed into a different Microsoft 365 tenant — for example, a personal Microsoft account or a second work account — Safari may present the cached token for that other tenant instead of prompting for credentials. The Microsoft identity platform sees a valid token and silently signs the user into the wrong tenant. This is not a bug in OneDrive; it is a side effect of how Safari handles multiple identity provider sessions and the absence of a tenant-specific domain in the authentication request.
The Role of Safari’s Shared Cookie Store
Safari on iOS uses a single cookie and token store for all browsing. When a user authenticates to tenant A, the token is stored and reused for any subsequent Microsoft authentication request that does not specify a tenant ID or verified domain. The web upload flow typically uses the common endpoint (login.microsoftonline.com/common), which does not force a specific tenant. As a result, Safari silently picks the token for tenant A even when the user intends to upload to tenant B.
Why This Affects iOS Users More Than Desktop Users
Desktop browsers, especially Chrome and Edge, use per-site isolated storage and separate profile containers that reduce cross-tenant token reuse. Safari on iOS does not offer a per-site container. Additionally, iOS users often switch between personal and work accounts on the same device, making the problem more frequent. The OneDrive mobile app does not have this issue because it uses the Microsoft Authentication Library with a tenant-specific client ID and redirect URI.
Admin Checklist: Force the Correct Tenant for iOS Web Uploads
Use this checklist to reduce or eliminate the wrong-tenant redirect for iOS users. Each item targets a different layer of the authentication flow.
1. Enforce Tenant-Specific Authentication Endpoints
- Replace the common endpoint with your tenant ID
In any web application or SharePoint page that triggers OneDrive uploads, change the authentication URL fromhttps://login.microsoftonline.com/commontohttps://login.microsoftonline.com/yourtenant.onmicrosoft.comorhttps://login.microsoftonline.com/yourtenantid. This forces the identity platform to only accept tokens issued for your tenant. - Update app registrations in Azure AD
Go to Azure AD > App registrations > Your app > Authentication. Under the Redirect URIs section, ensure the URIs use your tenant-specific domain. Remove any URI that uses the common endpoint.
2. Configure Session Token Policies
- Set token lifetime to a shorter duration
In Azure AD > Security > Conditional Access > Session > Sign-in frequency, set a value such as 1 hour. This forces Safari to re-authenticate more often, reducing the chance of a stale token from another tenant being reused. - Enable token protection for sign-in sessions
In Azure AD > Security > Conditional Access > Session > Token protection, enable token binding to the device. This prevents tokens from being used on a different device or browser session.
3. Use Microsoft Intune to Manage Browser Settings
- Deploy a managed browser policy
If your organization uses Intune, push Microsoft Edge for iOS as the managed browser. In Intune > Apps > App configuration policies, create a policy for Edge that forces authentication through your tenant-specific endpoint. - Block Safari from accessing work resources
In Intune > Conditional Access > Client apps, set the policy to require an approved client app. This blocks Safari and forces users to use Edge or the OneDrive mobile app for web uploads.
4. Educate Users on Manual Cache Clearing
- Instruct users to clear Safari data before upload
Tell users to go to Settings > Safari > Clear History and Website Data on their iOS device. This removes all cached authentication tokens and forces a fresh sign-in. Users should close and reopen Safari after clearing data. - Advise users to use the OneDrive mobile app
Web uploads are not the primary upload method for iOS. Instruct users to install the OneDrive app from the App Store and use the built-in upload feature, which always targets the correct tenant.
If Users Still See the Wrong Tenant After the Fixes
OneDrive Web Upload Redirects to a Personal Account Instead of Work Account
This occurs when Safari has a cached token for a Microsoft Account (MSA) and the authentication request does not specify the work tenant. The fix is to enforce the tenant-specific endpoint as described in step 1 of the checklist. If the issue persists, ask the user to sign out of all Microsoft accounts in Safari by going to login.microsoftonline.com and clicking Sign out everywhere.
iOS Users Cannot Access OneDrive via Safari at All
If Safari blocks the authentication page because of Conditional Access policies that require a managed browser, users may see an error instead of the sign-in page. In this case, the user must switch to Microsoft Edge for iOS or use the OneDrive app. Verify that the Conditional Access policy does not accidentally block all browser access without providing an alternative.
The OneDrive Mobile App Also Opens the Wrong Tenant
The OneDrive app uses the Microsoft Authentication Library and should always target the tenant associated with the account the user signed into. If the app shows the wrong tenant, the user likely signed into the app with a different account. Go to the app settings, tap the account name, and select Sign out. Then sign in again with the correct work account. This is not a Safari cache issue.
Web Upload via Safari vs OneDrive Mobile App: Key Differences
| Item | Web Upload via Safari | OneDrive Mobile App |
|---|---|---|
| Authentication method | Browser cookies and tokens | Microsoft Authentication Library with tenant-specific client ID |
| Tenant targeting | Depends on cached token; may redirect to wrong tenant | Always targets the tenant of the signed-in account |
| Cache clearing | Requires manual Safari history and data clear | Sign out and sign in from app settings |
| Conditional Access support | Blocked if policy requires managed browser | Fully supported with device compliance checks |
| File upload size limit | 100 MB per file in Safari | 250 GB per file in the app |
| Offline upload | Not supported | Supported with automatic sync when online |
You can now identify why iOS web uploads redirect to the wrong OneDrive tenant and apply the admin-side fixes in Azure AD, Conditional Access, and Intune. Start by updating the authentication endpoint to your tenant-specific domain in any web application that triggers OneDrive uploads. For a more reliable experience, direct iOS users to the OneDrive mobile app, which avoids browser caching issues entirely. As an advanced step, consider deploying Microsoft Edge for iOS with a tenant-specific configuration policy to eliminate Safari from the workflow.