MC1150662: Action Required – Configure Browser Policy to Preserve OneDrive and SharePoint Web Performance and Offline Capability
Chromium browsers will restrict local network access, prompting users for permission when accessing OneDrive, SharePoint, and Microsoft Lists. Without configuring the LocalNetworkAccessAllowedForUrls policy to pre-authorize trusted domains, users will face slower performance and loss of offline c...
Introduction]
Upcoming privacy-related changes in Chromium-based browsers (Google Chrome and Microsoft Edge) will increase restrictions on local network access. When enforcement begins, users accessing OneDrive for Web (and some integrated Microsoft 365 experiences such as Microsoft Lists and SharePoint Document Libraries) will encounter a browser permission prompt for local network access unless the required policy is in place. If the permission is not allowed, performance optimizations and offline capabilities powered by OneDrive and Share Point will not be available. This communication provides required administrator actions to prevent loss of functionality.
[When this will happen:
Chrome and Edge will roll out this privacy related change as part of Chromium 141 at the end of September.
How this will affect your organization:
- Who is affected:- All users accessing OneDrive for Web, Microsoft Lists, and SharePoint Document Libraries via Chrome or Edge browsers.
- Admins managing browser policies for Windows, macOS, and VDI environments.
- Users will see a new browser prompt requesting permission for local network access when opening OneDrive for Web and Lists.
- If users do not click Allow, the following results occur on that device:- Performance acceleration will not be available (loss of faster data access behavior).
- Offline functionality in OneDrive Web will not be available.
 
- The experience will be slower and less resilient, and helpdesk contacts will increase due to unexpected prompts and missing offline capability.
- Identify Required Domains- Include your organization’s SharePoint Online and OneDrive endpoints, for example: https://YOURTENANT-my.sharepoint.com or https://YOURTENANT.sharepoint.com
- Add additional sanctioned SharePoint Online host variations if applicable (e.g., specialized cloud environments). Avoid overly broad wildcards—conform to internal security governance.
 
- Configure Browser Policy- Set the Chromium policy LocalNetworkAccessAllowedForUrls(Chrome Enterprise / Edge policy) to pre-authorize the listed domains.
- Apply via: ADMX / JSON for Windows; plist or configuration profile for macOS (Chrome and Edge).
- Roll out to all managed device groups (Windows, macOS, VDI as applicable).
- Even if the following policies are currently enabled by policy, deploy the allow-list to prevent future prompts and avoid user confusion.- DisableNucleusSync
- DisableOfflineMode
 
 
- Set the Chromium policy 
- Remediation for Users Who Already Clicked Block- Deploying the managed LocalNetworkAccessAllowedForUrlspolicy will override any prior per-user deny state and enforce the allow setting once the policy is applied to the device/profile; no end-user action is required after policy propagation.
- If you need immediate remediation before policy reaches the device, have the user open the affected OneDrive site, use the site (lock) icon, reset or change the local/network device access permission to Allow, then refresh.
 
- Deploying the managed 
 
What will happen:If no action is taken:When the recommended browser policy is deployed in advance, the prompt is suppressed for the specified trusted Microsoft 365 endpoints and existing performance, and offline behavior are preserved. The policy prevents loss of existing capability and avoids user confusion.
What you need to do to prepare:
[Compliance considerations:]
| Compliance Area | Explanation | 
|---|---|
| Alters how existing customer data is accessed | Local network access impacts how OneDrive and SharePoint optimize performance and offline access to cached data. | 
| Includes admin control | Admins can configure the  | 
| Can be controlled through Entra ID group membership | Policy deployment can be scoped to device groups managed via Entra ID. | 
| Allows user to enable/disable feature | Users can manually allow or block local network access via browser prompts if policy is not enforced. | 
