search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
671 stars 96 forks source link

Unable to SSO log into addin using personal devices when Microsoft MCAS policies are in place #4925

Open mikey8808 opened 1 week ago

mikey8808 commented 1 week ago

Summary

Users are unable to SSO log into addin using personal devices when Microsoft MCAS policies are in place

Your Environment

Expected behavior

Users can log into addin using personal devices when Microsoft MCAS policies are in place

Current behavior

Users can't log into the addin with SSO. Fails due to the SSO redirect not having the .mcas.ms

Steps to reproduce

  1. In Microsoft Conditional Access Policies, configure a "Conditional Access app control" policy to prevent users from downloading and copying data onto their personal devices. i.e. it allows them to work only in the browser without removing data. More info on this here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session
  2. Once in place, use a personal device and sign into Outlook (OWA) in your browser
  3. Try to send an email with the add-in enabled
  4. Addin will try to sign you in using SSO but will result in a blank screen that will never load
  5. This means you cannot ever sign into the addin when using Microsoft Conditional Access Policies that block downloading or copying/pasting data.
image

User can Initialise SSO login by signing in via the taskpane or by sending an email that would prompt the user to sign in.

Provide additional details

  1. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/mcas-with-outlook-web-app-add-ins/m-p/1503215

Context

Microsoft has released additional Conditional Access Policies for personal devices, allowing organisations to prevent copying/pasting of Outlook emails when using personal devices.

Two controls cause an issue , one to block copy and paste and the other to block downloads.

If either of these policies are in place and active, a user cannot sign into the add-in as the login redirect to the Single-Sign-On service never completes successfully, resulting in a blank page and no way to sign in.

carlosb1504 commented 4 days ago

Hi, any update on this one please?

shighosh-msft commented 1 day ago

Hi @carlosb1504 apologies for the delay in response on this. Can you please check if in your XML manifest and if adding the .mcas.ms suffixed URL helps resolve the issue?