MC871011 – (Updated) Microsoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge

Microsoft Exchange Logo

check before: 2024-09-30

Product:

Entra, Exchange, Microsoft 365 for the web, Microsoft Edge, Outlook, SharePoint

Platform:

Android, Developer, iOS, Mac, mobile, Online, US Instances, Web, World tenant

Status:

Rolling out

Change type:

Admin impact, New feature, Updated message, User impact

Links:

MC711020

Details:

Summary:
Outlook for the web's migration to MSAL may cause sign-in prompts due to third-party cookie blocks in Chrome and Edge. Users without device SSO might see a red banner or dialog box requesting re-authentication. Rollout begins late November 2024, with preparations advised for enterprise administrators.

Details:
Updated October 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.

Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out late November 2024 (previously late September) and expect to complete by late January 2025 (previously late December).
General Availability (GCC, GCC High, DoD): We will begin rolling out late December 2024 (previously late October) and expect to complete by late February 2024 (previously late December).

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-08-24

updated:
2025-01-15

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Sign-in Issues
Users without device SSO will be prompted to sign in again due to third-party cookie blocks, leading to interruptions in their workflow.
   - roles: End Users, IT Support
   - references: https://chromeenterprise.google/policies/#BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview

Session Expiration Notifications
Users will see a red banner indicating their session has expired, which may cause confusion and frustration.
   - roles: End Users, Help Desk Staff
   - references: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct, https://github.com/AzureAD/microsoft-authentication-library-for-js#microsoft-authentication-library-for-javascript-msaljs

Embedded App Functionality
Embedded experiences within Outlook for the web may stop functioning due to cookie blocks, impacting user productivity.
   - roles: End Users, Application Developers
   - references: https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview

Increased Support Tickets
The need for users to re-authenticate may lead to an increase in support tickets, straining IT resources.
   - roles: IT Support, System Administrators
   - references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview, https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct " target="_blank" rel="nofollow noopener noreferrer">https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct

User Documentation Updates
Existing user documentation may require updates to reflect the new sign-in process and troubleshooting steps.
   - roles: Technical Writers, IT Support
   - references: https://chromeenterprise.google/policies/#BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Implement Microsoft Single Sign-On (SSO) Extension for Chrome
By enabling the Microsoft Single Sign-On extension for Chrome, organizations can mitigate the impact of third-party cookie blocking, allowing users to maintain their sessions in Outlook for the web without repeated sign-in prompts. This enhances user experience significantly, especially for those who frequently use Outlook for web on Chrome.
   - next-steps: Evaluate the deployment of the Microsoft SSO extension across the organization, ensuring that users are informed and supported during the transition. Provide training and resources to assist users in setting up the extension.
   - roles: IT Administrators, End Users, Help Desk Support
   - references: https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji

Enhance User Training and Documentation
As the migration to MSAL will introduce new sign-in prompts and session management behaviors, it is crucial to enhance user training and update documentation. This will prepare users for the changes and reduce frustration related to the new sign-in process, improving overall user satisfaction.
   - next-steps: Create updated training materials and documentation that explain the new sign-in process, potential issues, and troubleshooting steps. Schedule training sessions and distribute the materials widely within the organization.
   - roles: Training Coordinators, IT Administrators, End Users
   - references: https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-training?view=o365-worldwide

Enable Device SSO for Windows Users
Enabling Device SSO for Windows users will allow them to sign in to Outlook for the web seamlessly without being affected by the third-party cookie block. This will significantly reduce the number of sign-in prompts for users with SSO-capable devices, thus improving productivity and user experience.
   - next-steps: Assess the current SSO implementation across the organization and identify devices that are not currently using SSO. Work on enabling SSO for those devices and communicate the benefits to users.
   - roles: IT Administrators, Security Officers, End Users
   - references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only

** AI generated content. This information must be reviewed before use.

a free basic plan is required to see more details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



change history

DatePropertyoldnew
2024-10-10MC MessagesAs communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.
Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out late September 2024 and expect to complete by late December 2024.
General Availability (GCC, GCC High, DoD): We will begin rolling out late October 2024 and expect to complete by late December 2024.
Updated October 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.

Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out late November 2024 (previously late September) and expect to complete by late January 2025 (previously late December).
General Availability (GCC, GCC High, DoD): We will begin rolling out late December 2024 (previously late October) and expect to complete by late February 2024 (previously late December).
2024-10-10MC TitleMicrosoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge(Updated) Microsoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge
2024-10-10MC Last Updated08/24/2024 01:38:212024-10-10T00:53:42Z
2024-10-10MC MessageTagNamesNew feature, User impact, Admin impactUpdated message, New feature, User impact, Admin impact
2024-10-10MC SummaryOutlook for the web users may need to sign in again due to third-party cookie blocks in Chrome and Edge, following a migration to MSAL. A banner will prompt users to refresh their session, affecting those without device SSO. Rollout begins late September 2024, with no admin action required before then.Outlook for the web's migration to MSAL may cause sign-in prompts due to third-party cookie blocks in Chrome and Edge. Users without device SSO might see a red banner or dialog box requesting re-authentication. Rollout begins late November 2024, with preparations advised for enterprise administrators.

Last updated 4 weeks ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!