Insight Error: A silent sign-in request was sent but no user is signed in.

  • Updated

Issue

When trying to access Riva Insight through Single Sign On, the user receives an “A silent sign-in request was sent but no user is signed in." error when a Graph API call is made.

Background

Nested App Authentication (NAA) in Outlook web add-ins relies on third-party cookies for making Graph API calls. Blocking third-party cookies can cause issues with the authentication process, leading to errors like "A silent sign-in request was sent but no user is signed in." Allowing third-party cookies, especially for domains like [*.]microsoftonline.com and/or [*.]office.com, is necessary to ensure that the authentication and subsequent Graph API calls work correctly.

 

Technical Overview

Here's a breakdown:

  1. Third-Party Cookies in Nested App Authentication: When using OAuth 2.0 or similar authentication protocols in web-based apps (like Outlook Web Add-ins), authentication often involves redirects and interactions with authentication providers (such as Microsoft’s identity platform). These interactions may rely on third-party cookies to maintain the session between the browser and authentication service (like Microsoft login, which uses .microsoftonline.com).
  2. Blocking Third-Party Cookies: When third-party cookies are blocked, the session between the Outlook Web Add-in and the authentication provider is disrupted. The authentication token that was supposed to be passed or stored via cookies is unavailable, which causes the "silent sign-in request" to fail. This is why you're seeing the error: "A silent sign-in request was sent but no user is signed in."
  3. Allowing Cookies (Specifically, [*.]microsoftonline.com): Allowing third-party cookies for the Microsoft-related domains (like *.microsoftonline.com) resolves the issue because these cookies are used by Microsoft’s identity platform for maintaining a user session. Once these cookies are allowed, the browser can maintain the session between the add-in and the Microsoft authentication service, enabling the Graph API calls to work after the user is authenticated.

 Why this Happens:

  • OAuth 2.0: When you're using OAuth 2.0 to authenticate, the process typically includes redirects and token exchanges, which are handled by the identity provider. If cookies are blocked, these redirects and token exchanges fail to happen correctly, leading to errors like the one you encountered.
  • Cross-Origin Authentication: Outlook Web Add-ins are often hosted in a different origin (subdomain or different domain) than the authentication service (Microsoft’s login platform). This cross-origin scenario typically requires third-party cookies to maintain the authentication context. If cookies are blocked, the authentication context is lost, and the sign-in process fails.

Solution:

To avoid this issue, you need to ensure that cookies are allowed for the relevant Microsoft domains (like *.microsoftonline.com). This will allow the session to persist and make the silent sign-in flow work correctly.

In summary, blocking third-party cookies interferes with the authentication flow, especially when making Graph API calls after using Nested App Authentication in Outlook Web Add-ins. Allowing third-party cookies for the relevant Microsoft domains ensures proper session management, fixing the issue you encountered.

 

For iOS Devices or Browsers

On the device and/or browser ensure, the following (options may vary depending on device/browser):

  1. Third Party Cookies allowed
  2. Tracking Prevention Disabled
  3. Enable Cross Website Tracking

Enabling third party cookies or disabling tracking prevention outright is not required provided that an exception is created to allow for  [*.]microsoftonline.com to be allowed.  [*.]office.com is used for fallback scenarios and can also be added to the exception list.

 

For iOS Devices (Intune Managed)

Microsoft Intune provides a way to control settings on managed devices, including iPads, which can help manage browser behavior such as third-party cookie usage in Edge. If you're still experiencing issues despite allowing third-party cookies in Edge, it's possible that Intune settings, or additional configurations, are impacting the behavior. Here's what you can do using Intune to help resolve the issue:

 

1. Use Mobile Application Management (MAM) Policies for Edge

Intune’s Mobile Application Management (MAM) policies allow you to manage app settings (including Edge) without requiring device enrollment. Here's how you can manage cookie settings specifically for Edge on iPads:

  • Configure App Protection Policies: With MAM policies, you can configure app-level settings for Edge to ensure it adheres to security requirements (such as allowing third-party cookies).
    • Navigate to Intune > Apps > App protection policies.
    • Create or edit an App Protection Policy for Edge on iOS.
    • Under Targeted Apps, choose Microsoft Edge.
    • Ensure that the app protection policy allows for cookies and doesn't block cross-site tracking.
  • Control Browser Behavior: Intune allows you to configure specific behaviors in Microsoft Edge, such as:
    • Browser settings for cookies and data management.
    • If you want to enforce cookie settings or ensure a specific browser configuration (e.g., allowing third-party cookies), you can adjust settings via App Configuration Policies for Edge.

2. Use Device Compliance Policies for iOS/iPadOS

If the iPad is enrolled in Intune, you can set Device Compliance Policies to enforce security and configuration settings, which might help address issues around cookies or other settings that could impact your browsing experience.

  • Set Minimum OS Versions: Ensure that the iPad has a supported version of iOS or iPadOS. You can enforce this under Device compliance > iOS/iPadOS Compliance Policies.
  • Enforce Web Browser Settings: While Intune does not directly control browser cookie settings, you can enforce app-level policies that impact the overall behavior of Edge and other browsers, such as:
    • Enforcing a passcode or other security requirements that may be tied to allowing secure sessions for third-party cookies.
    • Require that the device is compliant with security features like encryption or jailbreaking prevention.
  • Conditional Access for Compliance: You can create Conditional Access policies that ensure only compliant devices (those meeting Intune requirements) can access certain resources. For example, you could enforce policies to allow access to Microsoft services only on devices that meet certain security configurations.

3. Configure Web Protection Settings with Intune

You can use Intune’s Web Protection to set up specific policies for the apps that use Microsoft Edge, ensuring that the settings don’t block cookies or interfere with the authentication process.

  • Use Microsoft Defender for Endpoint: If your organization has Microsoft Defender for Endpoint, you can leverage its integration with Intune to apply additional protection and monitoring to Edge on iPads. You can set policies that enhance security while ensuring third-party cookies are allowed.

4. Ensure Privacy Settings in Edge Are Not Overridden

While MAM and compliance policies can manage app behavior, make sure the Privacy settings in Edge itself are not conflicting. You can control privacy settings on a per-app basis in Intune, but users also need to ensure they aren't overriding these settings at the app level. Here's what you can do:

  • Edge Settings: On the iPad, in Edge, go to:
    • Settings > Privacy and security.
    • Under Tracking Prevention, make sure it’s set to Basic (not Strict or Balanced), as higher levels may block third-party cookies.
  • If you’re using Intune App Configuration Policies, make sure the configurations align with the intended browser settings for Edge.

5. Check for Other iOS Restrictions

iOS also has privacy and security restrictions that might block cookies or limit access to cross-site tracking. Ensure there are no global restrictions on the iPad that are interfering with cookies, even if Edge settings are correctly configured.

  • On the iPad, go to Settings > Safari > Privacy & Security. Make sure that Prevent Cross-Site Tracking is turned off.
  • You should also ensure that Block All Cookies is disabled in Safari, as iOS settings could apply these restrictions globally across browsers, including Edge.

6. Consider Using Intune to Push Edge Configuration Settings

If you manage Edge on iPads via Intune, you can push Edge-specific settings to control cookie behavior:

  • Go to Intune > Apps > App configuration policies > Microsoft Edge (iOS).
  • Push configuration settings such as allowing third-party cookies.

Conclusion:

While Intune doesn’t have a direct setting to control third-party cookie behavior, you can influence this by managing app settings, enforcing device compliance, and pushing configurations to Edge through MAM policies. Ensuring that no device or network-level settings are interfering with cookies and that Edge's settings are configured correctly can resolve these issues.

 

Key Steps:

  • Review App Protection Policies to ensure Edge is configured correctly.
  • Ensure no conflicting iOS privacy settings are enabled.
  • Use Device Compliance Policies to enforce minimum OS versions and other compliance rules.
  • Check network filters or proxies that could be blocking cookies.

This should help resolve issues where third-party cookies are being blocked even after allowing them in Edge on your iPad.

Was this article helpful?

/