Reputation: 17
Running an Outlook add-in on the desktop client with protected mode off
We are developing an Outlook add-in which requests tokens from Active Directory for an on-behalf-of flow. Once the user has logged in to AD once, and has a login cookie from AD, we'd like to request any further tokens from AD through an iframe with the prompt=none parameter.
In order to work around protected mode, we've added the url hosting our add-in to Trusted Sites, as well as https://outlook.office.com and https://login.microsoftonline.com. When the add-in is run from Internet Explorer, the entire page runs with protected mode off since outlook.office.com is in Trusted Sites, so our iframe can access the login cookie set by AD on login.
Our problem is running the add-in from the Outlook desktop client. When the iframe loads login.microsoftonline.com, the login cookie is not sent. I suspect this is because the desktop client might be running the add-in in protected mode. If I run Outlook as administrator, the cookie is sent, and the add-in behaves like it does in the browser.
Is there any way to make Outlook run the add-in with protected mode off, short of running the client as administrator?
Upvotes: 1
Views: 281
Answers (1)
Reputation: 595
This issue is related with the Integrity Mechanism. Please refer to the link below for more information about Integrity Mechanism and Protected Mode.
https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#upm_ovwim
If the sites are in Trusted Sites, they run outside of Protected Mode, and the cookies are stored in the Medium Integrity Cookie Store.
Outlook Add-in is secured by an add-in runtime environment, in which an Internet Explorer control is hosted. When the UAC is enabled, the add-in runtime is running with low integrity level. The Internet Explorer control also runs with low integrity level, and it can't retrieve the cookie from the Medium Integrity Cookie Store.
Therefore, when the iframe loads the site, the login cookie is not sent.
To resolve this issue, there are three methods below.
- Remove the sites from Trusted Sites in IE, and then run the add-in from Outlook. This can store the cookies in the Low Integrity Cookie Store.
Turn off UAC, which makes the all programs run at High Integrity Level. However, this is not safe for IE.Elevate the IE broker process to medium integrity level by creating an elevation policy. Please refer to the following link for How-tos.
https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#upm_cfgpm
Note : deactivation of UAC should only be done for testing purposes, if you deactivate it (permanently) on productive computers you will create a major security hole, please do not do that
Upvotes: 1
Related Questions
- office-addin-sso with @azure/msal-browser
- Outlook add-in is not working on desktop app
- Outlook 365 for desktop add-in not working
- Permission Denied when Open Add-In on microsoft Outlook 2013 App with selected signed Message
- Granting administrator consent for Outlook Add-in
- MS-Office add-in SSO - use WebApplicationInfo manifest for Outlook
- Authenticating Outlook WEB Add-in with SSO
- Outlook Add-in for Office 365 is not being activated by default
- Deploy Outlook add-in to Office Store
- Outlook Add-in using .NET