When Edge users click the upload button in a SharePoint or OneDrive web interface, the browser sometimes opens the wrong Microsoft 365 tenant. Instead of the expected company tenant, users see a login prompt for a different organization or an error that the file cannot be uploaded. This problem occurs because Edge caches authentication tokens from multiple tenant sessions and then misdirects the upload request. This article explains the root cause, provides a step-by-step checklist for administrators to resolve the issue, and covers related failure patterns you may encounter.
Key Takeaways: Web Upload Tenant Misdirection in Edge
- Edge profile isolation: Use separate browser profiles for each tenant to prevent token cache overlap.
- Clear authentication cache: Run
edge://settings/clearBrowsingDatawith “Cookies and other site data” selected to remove stale tokens. - Conditional Access policy: Configure session control to restrict token reuse across tenants.
Why Edge Opens the Wrong Tenant for Web Uploads
Microsoft Edge stores authentication tokens in a browser profile that can span multiple Microsoft 365 tenants. When a user signs in to Tenant A and then later signs in to Tenant B in the same profile, Edge retains tokens for both. The web upload dialog in SharePoint or OneDrive sends an authentication request that Edge may satisfy with the wrong cached token, especially if the user clicked “Stay signed in” for Tenant B. The result is a redirect to the wrong tenant login page or a permission error.
This behavior is not a bug. It is a side effect of Edge’s multi-account support and the way Microsoft 365 handles federated authentication. The browser does not differentiate between tenant contexts when it processes the upload request. The fix involves either isolating profiles or clearing the token cache at the correct time.
How Edge Profiles and Cookies Cause the Issue
Each Edge profile stores its own set of cookies, site data, and authentication tokens. If a user works with two tenants in the same profile, the token cache contains entries for both. When the web upload dialog triggers a new authentication flow, Edge picks the first matching token from the cache. If the token belongs to the wrong tenant, the upload fails or redirects to that tenant’s login page.
When the Problem Occurs Most Frequently
Administrators report this issue after users:
- Switch between tenants in the same browser session without signing out
- Use the same Edge profile for personal and work Microsoft 365 accounts
- Have multiple identity providers federated with Microsoft Entra ID
Checklist: Steps to Fix Web Upload Opening the Wrong Tenant
Follow this checklist in order. Each step addresses a specific layer of the problem. After completing all steps, test the upload again in a fresh Edge session.
- Step 1: Clear browser cookies and cached tokens
In Edge, go toedge://settings/clearBrowsingData. Select “Cookies and other site data” and “Cached images and files.” Set the time range to “All time.” Click “Clear now.” This removes all tenant tokens from the profile. After clearing, sign in only to the correct tenant and test the upload. - Step 2: Use a dedicated Edge profile per tenant
In Edge, click the profile icon in the top-right corner. Select “Add profile” and name it for the tenant, for example “Contoso Work.” Sign in to Microsoft 365 only in this profile. Do not sign in to any other tenant in this profile. Use a separate profile for each tenant. This isolates the token cache completely. - Step 3: Disable automatic sign-in in Edge
Go toedge://settings/profiles. Turn off “Automatically sign in to Microsoft sites with your work or school account.” This prevents Edge from using cached credentials from other tenants when the upload dialog opens. - Step 4: Configure Conditional Access session controls
In the Microsoft Entra admin center, go to Identity > Protection > Conditional Access > Policies. Create a policy that targets the SharePoint Online cloud app. Under Session, enable “Use app enforced restrictions.” This forces the browser to reauthenticate with the correct tenant context for each SharePoint session. Assign the policy to all users who report this issue. - Step 5: Deploy the Microsoft 365 Apps for enterprise policy to restrict token sharing
Use Group Policy or Intune to deploy the administrative template for Microsoft 365 Apps. Enable the setting “Restrict token sharing between tenants under the same browser profile.” This setting is available in the Microsoft 365 Group Policy Administrative Templates version 16.0.16827 or later. The setting forces each tenant to use a separate token cache. - Step 6: Test in InPrivate mode
Open an InPrivate window in Edge (Ctrl+Shift+N). Sign in to the correct tenant. Upload a file to SharePoint or OneDrive. If the upload works, the issue is caused by cached data in the regular profile. Continue with Step 1 or Step 2 as the permanent fix.
If Edge Still Opens the Wrong Tenant After the Main Fix
Edge shows the wrong tenant name in the upload dialog title bar
The dialog title bar displays the tenant name from the cached token, not the site context. The fix is to clear the browser data for the specific SharePoint site. Go to edge://settings/siteData. Search for the SharePoint domain. Click the trash icon to remove site data for that domain. Reload the site and try the upload again.
Upload fails with a generic authentication error
This error occurs when the token cache contains a token that is expired or belongs to a tenant that no longer exists. Clear all cookies and site data as described in Step 1. If the error persists, check the Microsoft Entra ID sign-in logs for the user. Look for an authentication failure with error code AADSTS50020, which indicates a tenant mismatch. If you see this code, the browser is presenting a token from the wrong tenant.
Users see a loop between two tenant login pages
The browser alternates between the login pages of two tenants because both tenants are federated with the same identity provider. The fix is to use a dedicated Edge profile for each tenant as described in Step 2. Alternatively, configure the identity provider to send a domain_hint parameter in the authentication request. This parameter tells the identity provider which tenant to use.
Edge Profile Isolation vs Clearing Cookies: Key Differences
| Item | Dedicated Edge Profile | Clear Browser Cookies |
|---|---|---|
| Effort | High — requires creating and maintaining separate profiles | Low — one-time action per session |
| Persistence | Permanent fix; tokens never mix | Temporary fix; tokens rebuild after each sign-in |
| User training needed | Yes — users must learn to switch profiles | No — users clear cookies when problem appears |
| Impact on other sites | None — other sites are unaffected | All sites lose saved logins and preferences |
| Best for | Administrators managing multiple tenants daily | Occasional tenant switching for specific tasks |
After applying the checklist, Edge users should see the correct tenant login page when they click the upload button in SharePoint or OneDrive. If the problem persists, verify that no third-party browser extensions are modifying authentication headers. Disable all extensions in Edge and test again. For ongoing monitoring, enable sign-in logs in Microsoft Entra ID to catch tenant mismatch errors early.