Previously, this article referenced Chrome Beta version 78. However, version 78 will no longer experience this issue. Google rescheduled this change in behavior for Chrome Beta version 79.
The Beta release of the Google Chrome web browser (build 79, scheduled for release on October 31, 2019) features a change in how cookies are handled. This change is expected to severely affect many applications and services that are based on open standards, including Microsoft cloud services. The new behavior prevents users from being able to sign in to Microsoft services (Azure, Office, and so on), and causes user sessions to be left active after users appear to sign out.
During our testing of this change in Microsoft services, we found the following scenarios to be severely degraded:
- Signing in to important sites such as the Azure portal fails and generates an error.
- Signing in to Microsoft Power BI enters a loop and eventually generates an error.
- Dynamics 365 sign-out fails.
- Dynamics integration with Skype, PowerApps, and Excel fails.
- In Office 365, notifications about email messages in the Office Suite do not work.
- In Microsoft Teams, authentication on the Mac fails, and tabbed access to other office services such as Stream within the Teams client does not work.
- Sign-out messages from certain sites indicate a successful sign-out. However, the cookie clearing process fails, and this keeps the user signed in.
- Signing in and signing out fails on many customer-developed websites that use some versions of Microsoft .NET Framework and .NET Core to process authentication tokens.
- Customer-developed applications that do silent token refreshing in MSAL or ADAL against Azure Active Directory (Azure AD), Microsoft Account, or Active Directory Federation Services (AD FS) fail to sign in.
We strongly recommend that customers use the Stable release of the Chrome browser at this time and avoid using the Beta release in their production environments when they access Microsoft services.
If developers have to use the Beta release for website testing, we recommend that they use a different browser to access Microsoft services.
Microsoft is working to address this situation before these changes are included in the generally available version of Chrome.
Additionally, we understand that Google is planning to provide enterprises the ability to override these changes. For more information, see SameSite Updates on the Chromium Projects website.
We will continue to post more information about the situation in this article when the information becomes available.
The web community is working on a solution to address the abusive use of tracking cookies and cross-site request forgery through a standard that is known as SameSite.
The Chrome team has announced plans to roll out a change in the default behavior of the SameSite functionality in Chrome starting in a Beta release on September 19, 2019. This change is expected to break authentication flows that are based on the OpenID Connect standard. Therefore, well-established patterns of authentication will not work.