Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to SSO log into addin using personal devices when Microsoft MCAS policies are in place #4925

Open
mikey8808 opened this issue Sep 25, 2024 · 1 comment
Open

Unable to SSO log into addin using personal devices when Microsoft MCAS policies are in place #4925

mikey8808 opened this issue Sep 25, 2024 · 1 comment
Assignees
@exextoc
Labels
Area: Outlook Issue related to Outlook add-ins Needs: attention 👋 Waiting on Microsoft to provide feedback

Comments

@mikey8808
Copy link

mikey8808 commented Sep 25, 2024
edited
Loading

Summary

Users are unable to SSO log into addin using personal devices when Microsoft MCAS policies are in place

Your Environment

  • Platform [PC desktop, Mac, iOS, Office on the web]: OWA (Chrome, Edge, FireFox)
  • Host [Excel, Word, PowerPoint, etc.]: OWA
  • Operating System: Windows and Mac
  • Browser (if using Office on the web): (Chrome, Edge, FireFox)

Expected behavior

Users can log into addin using personal devices when Microsoft MCAS policies are in place

Current behavior

Users can't log into the addin with SSO. Fails due to the SSO redirect not having the .mcas.ms

Steps to reproduce

  1. In Microsoft Conditional Access Policies, configure a "Conditional Access app control" policy to prevent users from downloading and copying data onto their personal devices. i.e. it allows them to work only in the browser without removing data. More info on this here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session
  2. Once in place, use a personal device and sign into Outlook (OWA) in your browser
  3. Try to send an email with the add-in enabled
  4. Addin will try to sign you in using SSO but will result in a blank screen that will never load
  5. This means you cannot ever sign into the addin when using Microsoft Conditional Access Policies that block downloading or copying/pasting data.
image

User can Initialise SSO login by signing in via the taskpane or by sending an email that would prompt the user to sign in.

Provide additional details

  1. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/mcas-with-outlook-web-app-add-ins/m-p/1503215

Context

Microsoft has released additional Conditional Access Policies for personal devices, allowing organisations to prevent copying/pasting of Outlook emails when using personal devices.

Two controls cause an issue , one to block copy and paste and the other to block downloads.

If either of these policies are in place and active, a user cannot sign into the add-in as the login redirect to the Single-Sign-On service never completes successfully, resulting in a blank page and no way to sign in.
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Sep 25, 2024
@exextoc exextoc added Needs: attention 👋 Waiting on Microsoft to provide feedback Area: Outlook Issue related to Outlook add-ins and removed Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP labels Sep 25, 2024
@exextoc exextoc self-assigned this Sep 25, 2024
@carlosb1504
Copy link

Hi, any update on this one please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@exextoc exextoc

Labels
Area: Outlook Issue related to Outlook add-ins Needs: attention 👋 Waiting on Microsoft to provide feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@exextoc @carlosb1504 @mikey8808