Announcement ID | MC871011 | Published Date | 08-23-2024 | |
Service | General | Last Updated | 10-09-2024 | |
Category | Plan for change | Expiration Date | 03-03-2025 | |
Roadmap ID | Action Required by Date | |||
Tags | Major update, Admin impact, New feature, User impact |
Summary |
---|
Outlook for the web's migration to MSAL may cause sign-in prompts due to third-party cookie blocks in Chrome and Edge. Users without device SSO might see a red banner or dialog box requesting re-authentication. Rollout begins late November 2024, with preparations advised for enterprise administrators. |
More Information |
---|
As communicated in MC711020 Outlook: Outlook for web new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge. Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android. When this will happen:General Availability (Worldwide): We will begin rolling out late November 2024 (previously late September) and expect to complete by late January 2025 (previously late December). General Availability (GCC, GCC High, DoD): We will begin rolling out late December 2024 (previously late October) and expect to complete by late February 2024 (previously late December). How this will affect your organization:Before this migration: Outlook for the web users were not affected by the third-party cookie block in Chrome and Edge and were able to stay signed in unless they signed out or were signed out due to inactivity. After Outlook for the web migrates to MSAL, Outlook for the web users without device SSO who are using Google Chrome or Microsoft Edge and who have third-party cookie blocking enabled will start seeing the following if Outlook for the web is not able to silently sign in the user with SSO:
Sign-in error message in red banner below the ribbon in Outlook for the web: "You need to sign in. Your session has expired. You may need to enable pop-ups in your browser for this site. Sign in to continue": Dialog box requesting users to sign in again: The authentication rollout will be on by default. What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation. |