Mobile workers who click the Upload button on the OneDrive website are sometimes redirected to a different tenant login page instead of their own company tenant. This creates a security risk and prevents file uploads. The root cause is almost always a browser session conflict or a stale authentication cookie from a previous Microsoft 365 login. This article explains why the wrong tenant appears and provides a step-by-step checklist for admins to diagnose and resolve the issue.
Key Takeaways: Redirecting OneDrive Web Upload to the Correct Tenant
- Clear browser cookies and cache: Eliminates stale authentication tokens that cause cross-tenant redirects.
- Use the correct tenant-specific URL: Direct users to https://onedrive.live.com/?auth=2 or the tenant-specific SharePoint root to bypass generic sign-in.
- Configure Conditional Access policies: Blocks sign-in from unauthorized tenants and forces reauthentication for sensitive upload actions.
Why OneDrive Web Upload Redirects to the Wrong Tenant
When a mobile worker opens OneDrive in a browser, the site uses cached authentication cookies from the most recent Microsoft 365 sign-in. If the user previously signed in to a personal Microsoft account or a different business tenant, the browser sends that existing cookie to the login endpoint. The Azure AD authentication service then matches the cookie to the previous tenant instead of prompting for credentials. This behavior is by design for single sign-on convenience, but it becomes a problem when users work across multiple organizations or accounts.
Three common scenarios cause this redirect:
Stale Browser Sessions
Mobile workers often use the same browser profile for personal and work accounts. When they visit onedrive.com, the browser automatically sends the stored authentication token. If that token belongs to a different tenant, the user sees the wrong tenant login page.
Shared or Public Computers
Workers who use hotel business centers, co-working spaces, or other shared devices may encounter a previous user's cached credentials. The browser shows the wrong tenant because the cookie belongs to a different organization.
Incorrect Bookmark or Shortcut
Some users bookmark the generic onedrive.com URL. That URL does not include a tenant hint. Without a hint, Azure AD defaults to the last logged-in identity. The tenant-specific URL format avoids this ambiguity.
Admin Checklist: Steps to Fix the Wrong Tenant Redirect
Follow this checklist in order. Each step resolves a specific cause of the redirect problem.
Step 1: Instruct Users to Clear Browser Cookies and Cache
- Open browser settings
In Chrome, click the three-dot menu > Settings > Privacy and security > Clear browsing data. In Edge, click the three-dot menu > Settings > Privacy, search, and services > Clear browsing data. - Select time range and data types
Choose All time from the time range drop-down. Check Cookies and other site data and Cached images and files. Do not check Passwords or Autofill form data unless you want to remove saved credentials. - Clear the data
Click Clear data. Close and reopen the browser before navigating to OneDrive. - Test the upload
Go to https://onedrive.live.com/?auth=2 and sign in with the correct work account. Click Upload and verify the target tenant.
Step 2: Use the Tenant-Specific OneDrive URL
- Find your tenant ID
Sign in to the Microsoft 365 admin center at https://admin.microsoft.com. Go to Settings > Org settings > Organization profile. Copy the Tenant ID shown under the organization name. - Construct the tenant-specific URL
Use the format https://YourTenantName-my.sharepoint.com. Replace YourTenantName with your tenant prefix. For example, if your tenant is contoso.onmicrosoft.com, the URL is https://contoso-my.sharepoint.com. - Distribute the URL to mobile workers
Send the URL in an email or update your company intranet bookmark. Instruct users to always start from this URL instead of onedrive.com.
Step 3: Configure Conditional Access to Require Reauthentication
- Open Azure AD Conditional Access
Sign in to the Azure portal at https://portal.azure.com. Go to Azure Active Directory > Security > Conditional Access. - Create a new policy
Click New policy. Name it OneDrive Upload Reauthentication. - Assign users and cloud apps
Under Users, select All users or a specific group of mobile workers. Under Cloud apps or actions, select Office 365 SharePoint Online. - Configure conditions for session risk
Under Conditions, select Sign-in risk and set the risk level to Medium and above. Under Client apps, select Browser. - Set access controls
Under Grant, select Require multifactor authentication and Require reauthentication every 60 minutes. Click Select. - Enable the policy
Set Enable policy to Report-only first. Test with a mobile worker. After verifying, change to On.
Step 4: Block Unauthorized Tenant Sign-Ins with External Identities
- Open External Identities settings
In the Azure portal, go to Azure Active Directory > External Identities > External collaboration settings. - Restrict guest invite permissions
Set Guest invite restrictions to Only users assigned to specific admin roles can invite guests. This prevents users from accidentally adding external accounts. - Enable cross-tenant access settings
Go to Cross-tenant access settings. Add the tenants you want to allow. For all other tenants, set Inbound access to Block access. This stops the browser from redirecting to untrusted tenants.
Step 5: Deploy Browser Profiles for Work-Only Sessions
- Create a work-only browser profile
In Chrome or Edge, create a new browser profile named Work. Do not sign in to any personal accounts in this profile. - Set the profile as default for work links
Configure the browser to open all work-related links in the Work profile. In Edge, use the Work profile for the OneDrive URL and set it as the default for SharePoint links. - Communicate the profile requirement
Send instructions to mobile workers explaining that they must use the Work profile when accessing OneDrive. Include a screenshot of the profile switcher.
If OneDrive Still Opens the Wrong Tenant After the Main Fix
OneDrive Shows a Generic Login Page Instead of the Company Login
If the user sees a Microsoft account login page instead of the company Azure AD login, the browser likely has a stale Microsoft account cookie. Clear all cookies for login.live.com and login.microsoftonline.com. Then restart the browser and navigate to the tenant-specific URL again.
Upload Fails with a Permission Denied Error
Even after the correct tenant loads, the upload button may be grayed out or show an error. This usually happens because the user is not a member of the SharePoint site collection. Verify the user's license in the Microsoft 365 admin center. Go to Users > Active users, select the user, and confirm that the OneDrive license is assigned. Also check that the user has at least Read permissions on the target document library.
Mobile Worker Reports the Issue on Multiple Devices
If the same user experiences the wrong tenant redirect on a phone, tablet, and laptop, the problem is likely a cached credential in the Microsoft Authenticator app or in the Windows credential manager. Have the user remove the work account from the Authenticator app and re-add it. On Windows, open Credential Manager, go to Windows Credentials, and remove any entries under Generic Credentials that contain MicrosoftOffice or MicrosoftAccount. Restart the device and sign in again.
OneDrive Web Upload vs OneDrive Desktop Sync: Key Differences for Tenant Handling
| Item | OneDrive Web Upload | OneDrive Desktop Sync |
|---|---|---|
| Authentication method | Browser cookies and Azure AD session tokens | Windows credential manager and device-based tokens |
| Tenant detection | Based on cached browser cookies and URL hint | Based on the primary work account configured in Windows |
| Impact of stale credentials | Redirects to wrong tenant login page | Shows sync error or account switch prompt |
| Admin control | Conditional Access policies and URL distribution | Group Policy, MDM policies, and tenant allowlist |
| Best for mobile workers | No software install required, but requires browser discipline | Requires OneDrive sync app installation and Windows sign-in |
Mobile workers who frequently switch between tenants should use the desktop sync app when possible. The sync app ties to the Windows primary account and does not rely on browser cookies. For occasional access on public or shared devices, the tenant-specific URL combined with a Conditional Access policy that forces reauthentication is the most reliable method.
After completing this checklist, mobile workers should be able to upload files to the correct OneDrive tenant without seeing a redirect. Start with clearing cookies and distributing the tenant-specific URL. If the problem persists, enforce Conditional Access policies that require reauthentication and block untrusted tenants. For consistent results on shared devices, deploy a dedicated work browser profile and instruct users to always sign out after each session.