When a user reports that uploading files to OneDrive via a web browser fails in one browser but works in another, the cause is almost always a conditional access policy in Microsoft Entra ID. Conditional access policies enforce device compliance, sign-in risk, or location requirements that a specific browser may not meet. This article explains how to identify the policy blocking the upload, check browser compatibility with conditional access, and adjust settings to resolve the failure without weakening security.
Key Takeaways: Conditional Access Policy Blocking OneDrive Web Upload
- Microsoft Entra admin center > Protection > Conditional Access > Policies: Review and identify which policy is targeting OneDrive and the browser session.
- Azure AD sign-in logs > Conditional Access tab: Check the exact policy that denied the upload request and the reason for denial.
- Browser developer tools > Network tab: Inspect the HTTP 403 or 401 response to confirm the upload was blocked by an authentication or policy check.
Why OneDrive Web Upload Fails in One Browser
Conditional access policies in Microsoft Entra ID evaluate each sign-in request against conditions such as device platform, client app, sign-in risk, and location. When a user uploads a file to OneDrive through a web browser, the browser sends a token that includes claims about the device and session. If the token does not satisfy a policy requirement — for example, the device is not marked as compliant or the browser does not support modern authentication — the upload request is denied.
The most common scenario is a policy that requires device compliance or managed browser for OneDrive. A browser like Firefox or Brave may not report device compliance information the same way Edge or Chrome does. Alternatively, a policy that blocks unmanaged devices may allow the upload in a browser that is joined to Microsoft Entra ID but block it in a browser that is not.
Browser-specific failures also occur when the browser lacks support for modern authentication or single sign-on. Older browser versions or browsers with disabled third-party cookies may fail to pass the token refresh required for large uploads. The result is a stalled upload, a 403 error, or a redirect to a sign-in page that loops.
Checklist to Diagnose and Fix the Browser Upload Failure
- Identify the affected browser and user
Ask the user which browser fails and which succeeds. Note the browser name, version, and whether the browser is managed by Intune or joined to Microsoft Entra ID. Also confirm the upload works in a private or incognito window in the same browser. - Review conditional access policies in Microsoft Entra admin center
Go to Microsoft Entra admin center > Protection > Conditional Access > Policies. Look for policies that include Microsoft OneDrive or Office 365 as a target cloud app. Check the Conditions section for device platform, client app, sign-in risk, and location filters. - Check the sign-in logs for the failed upload
In the Microsoft Entra admin center, go to Identity > Monitoring & health > Sign-in logs. Filter by the user and time of the failed upload. Select the sign-in event and open the Conditional Access tab. This tab shows which policies were evaluated, which policy denied access, and the exact reason (for example, “Device not compliant” or “Client app not allowed”). - Inspect browser network traffic
Open the browser developer tools (F12) and go to the Network tab. Reproduce the upload. Look for requests to login.microsoftonline.com or graph.microsoft.com that return HTTP status 401 Unauthorized or 403 Forbidden. The response body may include an error message like “AADSTS53003” which indicates a conditional access block. - Verify browser compatibility with conditional access
Microsoft supports conditional access in the latest versions of Edge, Chrome, Firefox, and Safari. However, policies that require managed browser or device compliance may only work with Edge or Chrome when the device is enrolled in Intune. Check the Grant section of the policy to see if Require device to be marked as compliant or Require Microsoft Edge browser is enabled. - Test with a policy exclusion for the browser
If the policy is too restrictive, create a temporary exclusion in the conditional access policy. Under Conditions > Client apps, ensure Browser is selected. Under Grant, add a second control like Require multi-factor authentication instead of device compliance. Apply the change to a test group first. - Update or replace the browser
If the browser is outdated, update it to the latest version. If the policy requires a managed browser, instruct the user to install Microsoft Edge and sign in with the same work account. Edge reports device compliance status to Microsoft Entra ID through the Device Registration Service. - Check OneDrive upload settings in SharePoint admin center
Go to SharePoint admin center > Policies > Access control > Conditional Access. Verify that the Use Conditional Access policy to control access from unmanaged devices setting is either turned off or configured to allow browser access. If set to Block access, only compliant devices can upload through the web.
If OneDrive Web Upload Still Fails After Adjusting Conditional Access
OneDrive upload shows “Something went wrong” error
This error often appears when the browser blocks third-party cookies or storage. Conditional access policies use cookies to maintain the session. Go to the browser settings and allow cookies for login.microsoftonline.com and microsoft.com. Also clear the browser cache for the last hour and restart the browser.
Upload succeeds in one browser but fails in another on the same device
This confirms the issue is browser-specific rather than device-specific. Check if the failing browser supports WebAuthn or FIDO2, which some conditional access policies require for passwordless authentication. If the policy requires Require authentication strength, the browser must support the specified MFA method.
Upload fails in Chrome but works in Edge
Chrome may not report device compliance unless the device is enrolled in Microsoft Entra ID and the Chrome browser is managed through a policy. Edge, on the other hand, reports compliance automatically when the device is Microsoft Entra joined. To fix this, install the Microsoft Single Sign-on extension in Chrome or enroll the device in Intune.
Conditional Access Policy Controls vs Browser Upload Behavior
| Policy Control | Effect on Edge | Effect on Chrome (unmanaged) |
|---|---|---|
| Require device to be marked as compliant | Upload allowed if device is Intune compliant | Upload blocked unless Chrome extension is installed |
| Require Microsoft Edge browser | Upload allowed | Upload blocked |
| Block access from unmanaged devices | Upload allowed if device is Microsoft Entra joined | Upload blocked |
| Require multi-factor authentication | Upload allowed after MFA prompt | Upload allowed after MFA prompt |
OneDrive web upload fails in a single browser when a conditional access policy enforces a requirement that the browser cannot meet. By reviewing the sign-in logs and policy conditions in the Microsoft Entra admin center, you can identify the exact policy and adjust it. Use the Client apps condition to exclude mobile and desktop clients if the policy is meant only for browsers. For production environments, always test policy changes on a pilot group before tenant-wide deployment.