You try to upload a file to OneDrive for Business through a web browser, but the upload fails or hangs indefinitely. This problem often occurs when your organization uses Microsoft Entra ID Conditional Access policies that restrict access based on device compliance, location, or browser type. One browser may be blocked while another works because of differences in how each browser handles authentication tokens, cookies, or device claims. This article explains why Conditional Access policies cause browser-specific upload failures and provides step-by-step fixes to resolve the issue.
Key Takeaways: Fixing Web Upload Failures Caused by Conditional Access Policies
- Browser session state and cookies: Clearing cookies and cache in the failing browser often resolves stale authentication tokens that block uploads.
- Conditional Access policy evaluation per browser: Each browser sends different device claims (User-Agent, client ID) which can trigger different policy outcomes; test in a private/incognito window to isolate.
- Microsoft Entra admin center > Conditional Access > Policies: Review which policies apply to the Office 365 Online cloud app and exclude the failing browser’s client ID if appropriate.
Why Conditional Access Policies Block OneDrive Web Uploads in One Browser
Conditional Access policies in Microsoft Entra ID evaluate each sign-in request based on signals such as user location, device compliance, risk level, and client application. When you use OneDrive for Business in a web browser, the browser acts as a client application that sends specific claims to Microsoft Entra ID. Two browsers on the same computer can produce different results because they send different User-Agent strings, have different stored cookies, or handle authentication tokens differently.
For example, a policy may require a device to be marked as compliant through Microsoft Intune. Microsoft Edge (Chromium-based) can pass the device compliance claim if it is configured to use the device’s primary AAD token, while a third-party browser like Firefox or Chrome may not include that claim unless an extension is installed. Similarly, a policy that blocks access from unmanaged browsers will check the browser’s client ID and OS platform. If the browser is not recognized as a supported platform, the upload request is denied before the file transfer begins.
The upload itself uses the OneDrive web interface, which relies on the Office 365 Online cloud app in Conditional Access policies. When the policy blocks the session, the user sees a generic error message or the upload progress bar stalls at 0%. In some cases the browser shows a redirect loop or a blank page after selecting a file.
Steps to Diagnose and Fix Browser-Specific Upload Failures
Follow these steps in order. Test the upload after each step to identify the exact cause.
- Clear browser cache and cookies for the failing browser
In the browser that fails, open settings and clear all cached data for the last hour or all time. Include cookies and site data. Close all browser windows and restart the browser. Navigate to the OneDrive web app and sign in again. Try uploading a small file (under 1 MB) to test. - Test in a private or incognito window
Open a new InPrivate window in Edge or Incognito window in Chrome. Go to your OneDrive site and sign in. Upload a file. If the upload succeeds, the issue is related to stored session data in the normal browsing profile. Continue to Step 3 to isolate further. - Check the browser version and update it
Go to the browser’s About page. Ensure the browser is on the latest stable version. Outdated browsers may not support modern authentication requirements such as FIDO2 or token binding required by Conditional Access policies. - Verify Conditional Access policy assignments in the Microsoft Entra admin center
Sign in to the Microsoft Entra admin center as a Global Administrator or Conditional Access Administrator. Go to Protection > Conditional Access > Policies. Locate policies that target the Office 365 Online cloud app. Check the Conditions section, especially under Client apps. If the policy is set to require a compliant device, confirm that the failing browser is capable of passing the device compliance claim. - Add the browser as an exception if appropriate
If the organization allows it, create a Conditional Access policy exclusion for the specific browser client ID. For example, to exclude Firefox, add the client ID1fec8e78-bce4-4aaf-ab1b-5451cc387264to the policy’s excluded client applications. Test the upload again. - Enable the Microsoft Edge browser for enterprise features
If the failing browser is not Edge, consider using Microsoft Edge (Chromium) which supports Microsoft Entra ID device authentication out of the box. Edge can pass device compliance and location claims more reliably than other browsers. Install Edge if not present and test the upload. - Check for browser extensions that block authentication
Disable all extensions in the failing browser. Extensions that block cookies, scripts, or modify headers can interfere with the Conditional Access token flow. After disabling, restart the browser and test the upload.
If OneDrive Web Upload Still Fails After These Steps
The upload fails in all browsers
If the problem occurs in every browser, the Conditional Access policy may be blocking the Office 365 Online cloud app entirely for your user account or location. Contact your IT administrator to review the policy assignments. The policy may require multi-factor authentication that is not completing, or the user may be in a location that is not on the allowed list. Use the Microsoft Entra sign-in logs to see the exact error code for the failed sign-in.
The upload works in a private window but fails in a normal window
This indicates that a corrupted or stale cookie is causing the issue in the normal browsing session. Fully exit the browser and delete all cookies for the sharepoint.com and microsoftonline.com domains. Then sign in again. If the problem persists, the browser profile may have damaged storage. Create a new browser profile and test.
The upload works on a different network but not on the corporate network
The Conditional Access policy may include a location condition that blocks access from the corporate network’s IP range. This can happen if the network is not registered as a trusted location in Microsoft Entra ID. Ask your IT team to add the corporate public IP range as a named location. Alternatively, the policy may require a compliant device which the browser cannot satisfy because the device is not enrolled in Intune.
Web Browser Support for Conditional Access: Comparison
| Item | Microsoft Edge (Chromium) | Google Chrome / Mozilla Firefox |
|---|---|---|
| Device compliance claim | Passes device compliance via the Microsoft Entra ID brokered authentication | Requires Microsoft Intune extension or device enrollment to pass compliance |
| Token binding support | Supported natively | Not supported in standard builds |
| Authentication broker | Uses Windows integrated authentication broker | Uses browser-specific token storage |
| Conditional Access policy evaluation | Can satisfy compliant device and managed browser requirements | May be blocked when policy requires a managed browser |
When a Conditional Access policy requires a compliant device or a managed browser, Microsoft Edge is the recommended browser for OneDrive web uploads. Chrome and Firefox work in most scenarios but may fail when the policy demands device-level claims that those browsers cannot provide without additional configuration.
After following these steps, you should be able to upload files to OneDrive for Business in the previously failing browser. If the issue remains, review the Microsoft Entra sign-in logs with your IT administrator to identify the exact policy that is blocking the session. As an advanced tip, use the What If tool in the Conditional Access blade to simulate the sign-in from the failing browser and see which policies apply before making changes.