check before: 2024-09-30
Product:
Entra, Exchange, Microsoft 365 for the web, Microsoft Edge, Outlook, SharePoint
Platform:
Android, Developer, iOS, Mac, mobile, Online, US Instances, Web, World tenant
Status:
Rolling out
Change type:
Admin impact, New feature, Updated message, User impact
Links:

Details:
Summary:
Outlook for the web's migration to MSAL may cause sign-in prompts due to third-party cookie blocks in Chrome and Edge. Users without device SSO might see a red banner or dialog box requesting re-authentication. Rollout begins late November 2024, with preparations advised for enterprise administrators.
Details:
Updated October 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.
Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out late November 2024 (previously late September) and expect to complete by late January 2025 (previously late December).
General Availability (GCC, GCC High, DoD): We will begin rolling out late December 2024 (previously late October) and expect to complete by late February 2024 (previously late December).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-08-24
updated:
2025-01-15
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
User Sign-in Issues
Users without device SSO will be prompted to sign in again due to third-party cookie blocks, leading to interruptions in their workflow.
- roles: End Users, IT Support
- references: https://chromeenterprise.google/policies/#BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview
Session Expiration Notifications
Users will see a red banner indicating their session has expired, which may cause confusion and frustration.
- roles: End Users, Help Desk Staff
- references: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct, https://github.com/AzureAD/microsoft-authentication-library-for-js#microsoft-authentication-library-for-javascript-msaljs
Embedded App Functionality
Embedded experiences within Outlook for the web may stop functioning due to cookie blocks, impacting user productivity.
- roles: End Users, Application Developers
- references: https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview
Increased Support Tickets
The need for users to re-authenticate may lead to an increase in support tickets, straining IT resources.
- roles: IT Support, System Administrators
- references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview, https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct
" target="_blank" rel="nofollow noopener noreferrer">https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct
User Documentation Updates
Existing user documentation may require updates to reflect the new sign-in process and troubleshooting steps.
- roles: Technical Writers, IT Support
- references: https://chromeenterprise.google/policies/#BlockThirdPartyCookies, https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Implement Microsoft Single Sign-On (SSO) Extension for Chrome
By enabling the Microsoft Single Sign-On extension for Chrome, organizations can mitigate the impact of third-party cookie blocking, allowing users to maintain their sessions in Outlook for the web without repeated sign-in prompts. This enhances user experience significantly, especially for those who frequently use Outlook for web on Chrome.
- next-steps: Evaluate the deployment of the Microsoft SSO extension across the organization, ensuring that users are informed and supported during the transition. Provide training and resources to assist users in setting up the extension.
- roles: IT Administrators, End Users, Help Desk Support
- references: https://chromewebstore.google.com/detail/ppnbnpeolgkicgegkbkbjmhlideopiji
Enhance User Training and Documentation
As the migration to MSAL will introduce new sign-in prompts and session management behaviors, it is crucial to enhance user training and update documentation. This will prepare users for the changes and reduce frustration related to the new sign-in process, improving overall user satisfaction.
- next-steps: Create updated training materials and documentation that explain the new sign-in process, potential issues, and troubleshooting steps. Schedule training sessions and distribute the materials widely within the organization.
- roles: Training Coordinators, IT Administrators, End Users
- references: https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-training?view=o365-worldwide
Enable Device SSO for Windows Users
Enabling Device SSO for Windows users will allow them to sign in to Outlook for the web seamlessly without being affected by the third-party cookie block. This will significantly reduce the number of sign-in prompts for users with SSO-capable devices, thus improving productivity and user experience.
- next-steps: Assess the current SSO implementation across the organization and identify devices that are not currently using SSO. Work on enabling SSO for those devices and communicate the benefits to users.
- roles: IT Administrators, Security Officers, End Users
- references: https://learn.microsoft.com/entra/identity/devices/device-sso-to-on-premises-resources#Overview
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

change history
Date | Property | old | new |
2024-10-10 | MC Messages | As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge.
Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android. [When this will happen:] General Availability (Worldwide): We will begin rolling out late September 2024 and expect to complete by late December 2024. General Availability (GCC, GCC High, DoD): We will begin rolling out late October 2024 and expect to complete by late December 2024. | Updated October 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
As communicated in MC711020 Outlook: Outlook for web - new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google's third-party cookie block that may be active in Chrome and Edge. Google's third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android. [When this will happen:] General Availability (Worldwide): We will begin rolling out late November 2024 (previously late September) and expect to complete by late January 2025 (previously late December). General Availability (GCC, GCC High, DoD): We will begin rolling out late December 2024 (previously late October) and expect to complete by late February 2024 (previously late December). |
2024-10-10 | MC Title | Microsoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge | (Updated) Microsoft Outlook for the web: Third-party cookie block causes users to sign in again on Chrome and Edge |
2024-10-10 | MC Last Updated | 08/24/2024 01:38:21 | 2024-10-10T00:53:42Z |
2024-10-10 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
2024-10-10 | MC Summary | Outlook for the web users may need to sign in again due to third-party cookie blocks in Chrome and Edge, following a migration to MSAL. A banner will prompt users to refresh their session, affecting those without device SSO. Rollout begins late September 2024, with no admin action required before then. | Outlook for the web's migration to MSAL may cause sign-in prompts due to third-party cookie blocks in Chrome and Edge. Users without device SSO might see a red banner or dialog box requesting re-authentication. Rollout begins late November 2024, with preparations advised for enterprise administrators. |
Last updated 4 weeks ago