Starting late September 2024, Outlook for the web users may need to sign in again due to Google’s third-party cookie blocks in Chrome and Edge, following a migration to MSAL. A banner will prompt users to refresh their session, affecting those without device SSO.
What is happening?
Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google’s third-party cookie block that may be active in Chrome and Edge.
Google’s third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.
When this will happen?
Microsoft will begin rolling out late September 2024 and expect to complete by late December 2024.
How this will affect users?
Before this migration: Outlook for the web users were not affected by the third-party cookie block in Chrome and Edge and were able to stay signed in unless they signed out or were signed out due to inactivity.
After Outlook for the web migrates to MSAL, Outlook for the web users without device SSO who are using Google Chrome or Microsoft Edge and who have third-party cookie blocking enabled will start seeing the following if Outlook for the web is not able to silently sign in the user with SSO:
-
- Outlook for the web will display a red banner below the ribbon and require users to sign in when a session is open for more than 24 hours.
- Windowed (deep linked) Mail items and Calendar events will display a blocking dialog requesting users to return to Outlook for the web to sign in when the deep-linked item token expires.
- Independent of Outlook for the web’s migration to MSAL, Outlook for the web may include embedded experiences such as apps that may stop functioning due to the third-party cookie block. If this happens, the app may provide an app-specific experience to refresh their token. Alternatively, the user may be able to right-click the app to launch the app in a browser or can choose to refresh the entire Outlook for the web session.
Sign-in error message in red banner below the ribbon in Outlook for the web: “You need to sign in. Your session has expired. You may need to enable pop-ups in your browser for this site. Sign in to continue”:
What you need to do to prepare?
-
- You can reset the BlockThirdPartyCookies setting In Chrome to avoid the block.