Onedrive on Eriteach | Microsoft Cloud Techhttps://blog.eriteach.com/en/tags/onedrive/Recent content in Onedrive on Eriteach | Microsoft Cloud TechHugo -- 0.155.1en2024-2026 Robel Mehari. All rights reserved.Sat, 20 Jun 2026 23:30:07 +0200OneDrive Moving to onedrive.cloud.microsoft: What Admins Should Check Firsthttps://blog.eriteach.com/en/posts/onedrive-cloud-microsoft-domain/Wed, 17 Jun 2026 00:00:00 +0000https://blog.eriteach.com/en/posts/onedrive-cloud-microsoft-domain/OneDrive moves to onedrive.cloud.microsoft from July 2026. Review allowlists, Tenant Restrictions, proxy rules, and URL-based policies before users see errors.The Problem

Microsoft is moving OneDrive web experiences from the old tenant-specific OneDrive URL pattern to the unified onedrive.cloud.microsoft domain.

The message center notice shared by M365 Admin says rollout starts in early July 2026 and is expected to complete by late June 2027. Existing OneDrive links continue to work, and the old and new domains will exist side by side.

That sounds simple. But this is exactly the kind of change where the Microsoft service is fine and the local admin controls create the error.

If a tenant has URL-based allowlists, proxy rules, browser controls, Conditional Access App Control, or custom tools that assume contoso-my.sharepoint.com, users may see sign-in loops, blocked pages, broken previews, or confusing helpdesk tickets when the browser starts showing onedrive.cloud.microsoft.

Environment

This post is written for Microsoft 365 admins managing OneDrive, Entra ID, Microsoft Intune, Defender for Cloud Apps, network filtering, and browser policies.

The important distinction is this:

Area Expected behavior
User-facing OneDrive web URL Users may start seeing onedrive.cloud.microsoft
Existing links and bookmarks Continue to work
SharePoint storage URL Still uses the SharePoint/OneDrive backing URL pattern
Microsoft Graph and official APIs No URL-pattern change expected
Custom tools parsing browser URLs Need review

What I Checked First

I would not start by changing every policy. I would first search for anything that explicitly references the old OneDrive host pattern.

Examples:

  • *-my.sharepoint.com
  • contoso-my.sharepoint.com
  • sharepoint.com/personal/
  • hardcoded OneDrive browser URLs in scripts, apps, documentation, or proxy rules

The risk is not that OneDrive storage stops working. The risk is that a security or network control written around the old browser URL blocks the new trusted Microsoft domain.

Policies That Can Conflict

These are the controls I would review before rollout reaches users.

Control area What can break What to check
Firewall, proxy, DNS filtering, SSL inspection onedrive.cloud.microsoft is blocked or inspected differently Allow *.cloud.microsoft where Microsoft 365 traffic is allowed
Microsoft Edge URL allow/block lists from Intune Browser blocks the new URL even though the service is valid Check URLAllowlist, URLBlocklist, and any managed extension rules
Defender for Cloud Apps / Conditional Access App Control Session control, reverse proxy, or app recognition behaves differently Test OneDrive browser access with the new domain and existing session policies
Tenant Restrictions v2 Cross-tenant or proxy-header rules do not account for the new cloud domain Confirm TRv2 proxy/header path does not block cloud.microsoft endpoints
Defender for Endpoint web content filtering / indicators Custom URL indicators block or fail to classify the new domain Search custom indicators and category exceptions
Purview DLP / Endpoint DLP browser restrictions Upload/download controls depend on allowed service domains or browser context Test sensitive file upload, download, and external sharing flows
Third-party CASB, SWG, or secure browser tools Tool recognizes SharePoint URL but not onedrive.cloud.microsoft Confirm Microsoft 365 app definitions are updated
Custom scripts and internal portals Code parses the browser URL to find user/site/path Move to Microsoft Graph or supported APIs instead of URL parsing
Helpdesk documentation and phishing training Users distrust the new URL Update user-facing guidance before rollout

The Fix

My preferred approach is a small readiness check, not a big policy rewrite.

  1. Inventory references to old OneDrive URL patterns in Intune, proxy, firewall, CASB, DLP, browser policies, and internal documentation.
  2. Allow the new Microsoft cloud domain where Microsoft 365 web traffic is already allowed. Microsoft specifically calls out *.cloud.microsoft in the admin recommendation.
  3. Avoid parsing browser URLs in automation. If a script or app needs OneDrive data, use Microsoft Graph or a supported API.
  4. Pilot with test users before changing tenant-wide controls.
  5. Test common workflows:
    • open OneDrive in browser
    • open a shared link
    • access a file from another geo, if applicable
    • upload and download a sensitive file if DLP is used
    • access OneDrive through managed Edge
    • access OneDrive through the corporate proxy/VPN path
  6. Update helpdesk notes so users are not told the new URL is suspicious.

Practical Validation Checklist

Use this as a simple admin checklist.

  • onedrive.cloud.microsoft opens from a managed device.
  • Existing *-my.sharepoint.com links still open.
  • Proxy/firewall logs do not show blocks for cloud.microsoft.
  • Edge Intune URL policies do not block cloud.microsoft.
  • Defender for Cloud Apps session policies still apply as expected.
  • Tenant Restrictions v2 behavior is tested, if used.
  • DLP and sharing flows still behave correctly.
  • Helpdesk and user guidance mention cloud.microsoft as a trusted Microsoft domain.
  • Any custom OneDrive tooling uses Microsoft Graph or supported APIs, not browser URL parsing.

What Changed

The change is mostly visual for users and architectural for Microsoft. For admins, the work is governance cleanup.

The safest message to users is simple:

OneDrive may show a new Microsoft domain: onedrive.cloud.microsoft. Existing links still work. Do not approve sign-ins or downloads from lookalike domains, but this exact Microsoft domain is expected.

What to Watch Out For

The most likely failures are not from OneDrive itself. They come from controls that were written too narrowly.

Watch especially for:

  • explicit allowlists containing only sharepoint.com
  • browser URL policies in Microsoft Intune
  • proxy rules that treat cloud.microsoft as unknown
  • Defender for Cloud Apps policies scoped by URL pattern instead of app/session behavior
  • DLP or secure browser tools that need updated Microsoft 365 app definitions
  • internal tools that split OneDrive URLs to extract user or site information

If something breaks, check network/security policy logs before assuming a OneDrive outage.

]]>