The Problem
Microsoft is moving OneDrive web experiences from the old tenant-specific OneDrive URL pattern to the unified onedrive.cloud.microsoft domain.
The message center notice shared by M365 Admin says rollout starts in early July 2026 and is expected to complete by late June 2027. Existing OneDrive links continue to work, and the old and new domains will exist side by side.
That sounds simple. But this is exactly the kind of change where the Microsoft service is fine and the local admin controls create the error.
If a tenant has URL-based allowlists, proxy rules, browser controls, Conditional Access App Control, or custom tools that assume contoso-my.sharepoint.com, users may see sign-in loops, blocked pages, broken previews, or confusing helpdesk tickets when the browser starts showing onedrive.cloud.microsoft.
Environment
This post is written for Microsoft 365 admins managing OneDrive, Entra ID, Microsoft Intune, Defender for Cloud Apps, network filtering, and browser policies.
The important distinction is this:
| Area | Expected behavior |
|---|---|
| User-facing OneDrive web URL | Users may start seeing onedrive.cloud.microsoft |
| Existing links and bookmarks | Continue to work |
| SharePoint storage URL | Still uses the SharePoint/OneDrive backing URL pattern |
| Microsoft Graph and official APIs | No URL-pattern change expected |
| Custom tools parsing browser URLs | Need review |
What I Checked First
I would not start by changing every policy. I would first search for anything that explicitly references the old OneDrive host pattern.
Examples:
*-my.sharepoint.comcontoso-my.sharepoint.comsharepoint.com/personal/- hardcoded OneDrive browser URLs in scripts, apps, documentation, or proxy rules
The risk is not that OneDrive storage stops working. The risk is that a security or network control written around the old browser URL blocks the new trusted Microsoft domain.
Policies That Can Conflict
These are the controls I would review before rollout reaches users.
| Control area | What can break | What to check |
|---|---|---|
| Firewall, proxy, DNS filtering, SSL inspection | onedrive.cloud.microsoft is blocked or inspected differently | Allow *.cloud.microsoft where Microsoft 365 traffic is allowed |
| Microsoft Edge URL allow/block lists from Intune | Browser blocks the new URL even though the service is valid | Check URLAllowlist, URLBlocklist, and any managed extension rules |
| Defender for Cloud Apps / Conditional Access App Control | Session control, reverse proxy, or app recognition behaves differently | Test OneDrive browser access with the new domain and existing session policies |
| Tenant Restrictions v2 | Cross-tenant or proxy-header rules do not account for the new cloud domain | Confirm TRv2 proxy/header path does not block cloud.microsoft endpoints |
| Defender for Endpoint web content filtering / indicators | Custom URL indicators block or fail to classify the new domain | Search custom indicators and category exceptions |
| Purview DLP / Endpoint DLP browser restrictions | Upload/download controls depend on allowed service domains or browser context | Test sensitive file upload, download, and external sharing flows |
| Third-party CASB, SWG, or secure browser tools | Tool recognizes SharePoint URL but not onedrive.cloud.microsoft | Confirm Microsoft 365 app definitions are updated |
| Custom scripts and internal portals | Code parses the browser URL to find user/site/path | Move to Microsoft Graph or supported APIs instead of URL parsing |
| Helpdesk documentation and phishing training | Users distrust the new URL | Update user-facing guidance before rollout |
The Fix
My preferred approach is a small readiness check, not a big policy rewrite.
- Inventory references to old OneDrive URL patterns in Intune, proxy, firewall, CASB, DLP, browser policies, and internal documentation.
- Allow the new Microsoft cloud domain where Microsoft 365 web traffic is already allowed. Microsoft specifically calls out
*.cloud.microsoftin the admin recommendation. - Avoid parsing browser URLs in automation. If a script or app needs OneDrive data, use Microsoft Graph or a supported API.
- Pilot with test users before changing tenant-wide controls.
- Test common workflows:
- open OneDrive in browser
- open a shared link
- access a file from another geo, if applicable
- upload and download a sensitive file if DLP is used
- access OneDrive through managed Edge
- access OneDrive through the corporate proxy/VPN path
- Update helpdesk notes so users are not told the new URL is suspicious.
Practical Validation Checklist
Use this as a simple admin checklist.
-
onedrive.cloud.microsoftopens from a managed device. - Existing
*-my.sharepoint.comlinks still open. - Proxy/firewall logs do not show blocks for
cloud.microsoft. - Edge Intune URL policies do not block
cloud.microsoft. - Defender for Cloud Apps session policies still apply as expected.
- Tenant Restrictions v2 behavior is tested, if used.
- DLP and sharing flows still behave correctly.
- Helpdesk and user guidance mention
cloud.microsoftas a trusted Microsoft domain. - Any custom OneDrive tooling uses Microsoft Graph or supported APIs, not browser URL parsing.
What Changed
The change is mostly visual for users and architectural for Microsoft. For admins, the work is governance cleanup.
The safest message to users is simple:
OneDrive may show a new Microsoft domain:
onedrive.cloud.microsoft. Existing links still work. Do not approve sign-ins or downloads from lookalike domains, but this exact Microsoft domain is expected.
What to Watch Out For
The most likely failures are not from OneDrive itself. They come from controls that were written too narrowly.
Watch especially for:
- explicit allowlists containing only
sharepoint.com - browser URL policies in Microsoft Intune
- proxy rules that treat
cloud.microsoftas unknown - Defender for Cloud Apps policies scoped by URL pattern instead of app/session behavior
- DLP or secure browser tools that need updated Microsoft 365 app definitions
- internal tools that split OneDrive URLs to extract user or site information
If something breaks, check network/security policy logs before assuming a OneDrive outage.
Related Links
- M365 Admin message summary: https://m365admin.handsontek.net/onedrive-transitions-cloud-microsoft-domain/
- Microsoft Learn: cloud.microsoft domain: https://learn.microsoft.com/en-us/microsoft-365/enterprise/cloud-microsoft-domain?view=o365-worldwide
- Microsoft 365 URLs and IP address ranges: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
- Microsoft Learn: Tenant Restrictions v2: https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2