MC871011 – Microsoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge

Microsoft Exchange Logo

check before: 2024-09-30

Product:

Entra, Exchange, Microsoft 365 for the web, Microsoft Edge, Outlook, SharePoint

Platform:

Android, Developer, iOS, Mac, mobile, Online, US Instances, Web, World tenant

Status:

Change type:

New feature, User impact, Admin impact

Links:

MC711020

Details:

Summary:
Outlook for the web users may need to sign in again due to third-party cookie blocks in Chrome and Edge, following a migration to MSAL. A banner will prompt users to refresh their session, affecting those without device SSO. Rollout begins late September 2024, with no admin action required before then.

Details:
As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.
Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out late September 2024 and expect to complete by late December 2024.
General Availability (GCC, GCC High, DoD): We will begin rolling out late October 2024 and expect to complete by late December 2024.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-08-24

updated:
2024-08-24

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Sign-In Requirements
Users will be required to sign in again after 24 hours due to third-party cookie blocks, disrupting their workflow.
   - roles: End Users, IT Support
   - references: https://chromeenterprise.google/policies/BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview

Session Expiration Notifications
Users will see a red banner indicating their session has expired, which may cause confusion and frustration.
   - roles: End Users, Help Desk Staff
   - references: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct, https://github.com/AzureAD/microsoft-authentication-library-for-jsmicrosoft-authentication-library-for-javascript-msaljs

Embedded App Functionality
Embedded experiences within Outlook for the web may stop functioning, requiring users to refresh their session or relaunch the app.
   - roles: End Users, Application Developers
   - references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview, https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji

Increased IT Support Requests
The need for users to frequently sign in again may lead to an increase in support requests, straining IT resources.
   - roles: IT Support, System Administrators
   - references: https://chromeenterprise.google/policies/BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview

User Experience Disruption
Overall user experience will be negatively impacted due to unexpected sign-in prompts and session management issues.
   - roles: End Users, User Experience Designers
   - references: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct, https://github.com/AzureAD/microsoft-authentication-library-for-jsmicrosoft-authentication-library-for-javascript-msaljs

Configutation Options**

Reset BlockThirdPartyCookies Setting
Enterprise administrators can reset the BlockThirdPartyCookies setting in Chrome to avoid the cookie block issue.
   - technical instructions: 1. Open Chrome Enterprise policy settings. 2. Locate the BlockThirdPartyCookies setting. 3. Reset the setting to allow third-party cookies.
   - references: https://chromeenterprise.google/policies/BlockThirdPartyCookies

Enable SSO from Windows Devices
Enabling Single Sign-On (SSO) from Windows devices can help users avoid the sign-in prompt.
   - technical instructions: 1. Ensure that the device is joined to Azure AD. 2. Configure SSO settings in the Azure portal under 'Devices'.
   - references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resourcesOverview

Microsoft Single Sign-On Extension for Chrome
Adding the Microsoft Single Sign-On extension for Chrome can help users maintain their session without interruptions.
   - technical instructions: 1. Go to the Chrome Web Store. 2. Search for 'Microsoft Single Sign-On'. 3. Click 'Add to Chrome' to install the extension.
   - references: https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji

User Notification and Documentation Update
Notify users about the upcoming changes and update relevant documentation to prepare them for the new sign-in process.
   - technical instructions: 1. Draft a communication plan. 2. Create or update documentation regarding the new sign-in process. 3. Distribute the information to all users.
   - references: https://learn.microsoft.com/en-us/microsoft-365/admin/admin-overview/admin-overview?view=o365-worldwide

Monitor Authentication Rollout
Keep track of the authentication rollout to ensure users are not facing issues post-migration.
   - technical instructions: 1. Use Azure AD sign-in logs to monitor user sign-in activities. 2. Check for any errors or issues reported by users.
   - references: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

** AI generated content. This information is not reliable.

a free basic plan is required to see more details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



Share to MS Teams

Login to your account

Welcome Back, We Missed You!