- Microsoft Dynamics 365 (on premises) and Google Chrome 80 ‘SameSite=Lax'. Dynamics 365 Customer Engagement (on-premises) Dynamics CRM 2016 Dynamics CRM.
- Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive.
- Get more done with the new Google Chrome. A more simple, secure, and faster web browser than ever, with Google's smarts built-in.
- Microsoft 365 is designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security.
Microsoft 365 is a subscription that includes the most collaborative, up-to-date features in one seamless, integrated experience. Microsoft 365 includes the robust Office desktop apps that you're familiar with, like Word, PowerPoint, and Excel.
-->Note
Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.
Note
Previously, this article referenced Google Chrome Beta version 79. Google is scheduled to release a cookie behavior in Chrome Stable version 80.Chrome has updated their rollout timeline to indicate that this change will be rolled out in Chrome 80 starting the week of February 17. Chrome 80 will ship on February 4 and have this feature disabled by default. The feature will be enabled on a graduated schedule starting February 17.
Summary
The Stable release of the Google Chrome web browser (build 80, scheduled for release on February 4, 2020) will roll out a change to the default cookie behavior starting the week of February 17. Although the change is intended to discourage malicious cookie tracking and protect web applications, it's also expected to affect many applications and services that are based on open standards. This includes Microsoft cloud services.
Enterprise customers are encouraged to make sure that they're prepared for the change and are ready to implement mitigations by testing their applications (whether custom-developed or purchased). For more information, see the 'Recommendations' section.
Microsoft is committed to addressing this change in behavior in its products and services before the Chrome 80 release date. This article discusses the guidance from both Microsoft and Google for installing the various updates that are required for products and libraries, and the guidance for testing and preparation. However, it's equally important that you test your own applications against this change in Chrome behavior and prepare your own websites and web applications as necessary.
Effect on customer applications
All Microsoft Cloud services are updated to comply with the new requirements made by Chrome, but some other applications may still be affected. Check the 'Recommendations' section for some server products that will require updating by customers.
You should thoroughly test all applications by using Chrome Beta version 80 to verify the effect of this change. We expect that problems similar to the problems that this article describes will affect your applications. This is especially true for applications that use any web platform or technology that relies on cross-domain cookie sharing, such as apps that are embedded in other apps.
Chrome versions 78 and 79 betas have an improvement that delays the SameSite:Lax attribute enforcement for two minutes. However, using these versions for testing may mask other problems. Therefore, we recommend that you test by using Chrome version 80 by having specific flags enabled. Doing this can, at least, help you discover the effect so that you can determine your best plan. For more information, see the 'Testing guidelines' section.
Microsoft Edge browser on Chromium (version 80) will not be affected by these SameSite changes. You can read the Edge documentation to see the current plan for adapting this change.
Google Chrome 365 Sign In
Recommendations
Microsoft customers who use Active Directory Federation Services (AD FS) or Web Application Proxy must deploy one of the following Windows Server updates:
| Product | KB Article | Release Date |
|---|---|---|
| Windows Server 2019 | KB 4534273 | January 14, 2020 |
| Windows Server 2016 | KB 4534271 | January 14, 2020 |
| Windows Server 2012 R2 | KB 4534309 | January 14, 2020 |
The following Microsoft server or client products must also be updated. The updates will be added to this article when they're available. We recommend that you revisit this article regularly for the latest updates.
| Product | KB Article | Release Date |
|---|---|---|
| Exchange Server 2019 | KB 4537677 | March 17, 2020 |
| Exchange Server 2016 | KB 4537678 | March 17, 2020 |
| Project Server 2013 | KB 4484360 | May 12, 2020 |
| Project Server 2010 | KB 4484388 | May 12, 2020 |
| SharePoint Foundation 2013 | KB 4484364 (Cumulative Update: KB 4484358)1 | May 12, 2020 |
| SharePoint Foundation 2010 | KB 4484386 | April 27, 2020 |
| SharePoint Server 2019 | KB 4484259 | February 11, 2020 |
| SharePoint Server 2016 | KB 4484272 | March 10, 2020 |
| SharePoint Server 2013 | KB 4484362 | May 12, 2020 |
| SharePoint Server 2010 | KB 4484389 | May 12, 2020 |
| Skype for Business Server 2019 | Upcoming late Summer 2020 Cumulative Update (tentative) | |
| Skype for Business Server 2015 | April 2020 Cumulative Update (CU 11) |
1 This Cumulative Update contains the fix for the SameSite cookie issue, plus additional fixes unrelated to the SameSite cookie issue. Microsoft recommends installing the Cumulative Update rather than the individual update to ensure your environment has all of the fixes available at the time the Cumulative Update was released.
You must test your applications for all the following scenarios, and determine the appropriate plan based on the outcome of the tests:
- Your application is unaffected by the SameSite changes. In this case, there's no action to take.
- Your application is affected, but your software developers can make the change in time to use the SameSite:None cookie settings. In this case, you should change your application by following the developer guidance in the 'Testing guidelines' section.
- Your application is affected but can't be changed in time. For internal sites, the application can be excluded from the SameSite enforcement behavior in Chrome by using the LegacySameSiteCookieBehaviorEnabledForDomainList setting.
If enterprise customers learn that most of their apps are affected, or if they do not have enough time to test their apps before the graduated release of the feature starting on February 18, they're encouraged to disable the SameSite behavior in computers they govern. They can do this by using Group Policy, System Center Configuration Manager, or Microsoft Intune (or any Mobile Device Management software) until they can verify that the new behavior doesn't break basic scenarios in their apps.
Google has released the following enterprise controls that can be set to disable the SameSite enforcement behavior in Chrome:
- LegacySameSiteCookieBehaviorEnabled, which enables or disables this change.
- LegacySameSiteCookieBehaviorEnabledForDomainList, which allows Chrome to disable this policy on specific domains.
For enterprise customers who develop their applications on .NET Framework, we recommend that they update libraries and set the SameSite behavior intentionally to avoid unpredictable results that are caused by the change in the cookie behavior. To do this, see the guidance in the following Microsoft ASP.NET Blog article:
Also, see the following Google Chromium Blog article for developer guidance about this issue:
Customers who have affected sites that impact consumers or users who are not covered under their Enterprise policies must instruct those users to use a different browser (Edge, Firefox, Internet Explorer) or walk those users through how to disable the settings in Chrome (as shown in the next section) while they fix their applications.
Testing guidelines
Google has published this guidance for developers to prepare for the SameSite changes. Additionally, we recommend that you test your websites and apps by using the following approach.
Use Chrome Beta version 80 to test the scenarios:
Download Chrome Beta version 80:
- For Windows 64-bit: Beta channel for Windows (64-bit)
- For Windows 32-bit: Beta channel for Windows (32-bit)
Start Chrome by using the following additional command line flag:
--enable-features=SameSiteDefaultChecksMethodRigorouslyEnable the SameSite flags. To do this, type
Chrome://flagsin the Address bar, search for SameSite, and then select Enabled for the following options.
More information
The web community is working on a solution to address the abusive use of tracking cookies and cross-site request forgery through a standard that's known as SameSite.
The Chrome team had announced plans to roll out a change in the default behavior of the SameSite functionality starting in a release of Chrome version 78 Beta on October 18, 2019. This rollout will be moved to Chrome version 80 release on February 4, 2020. This change helps improve web security. However, it also breaks authentication flows that are based on the OpenID Connect standard. Therefore, well-established patterns of authentication won't work.
Chrome 365 Office
Checking the Chrome version
If you suspect that your users are using a Chrome version 76 or a later version that has SameSite enabled, you can check the version number by navigating to chrome://settings/help or by selecting the Chrome settings icon, and then selecting Help > About Google Chrome.
For the 77–79 versions of Chrome, check the Chrome://flags in the browser to see whether they have the flags enabled. The setting default will begin to change in Chrome version 80 on a graduated release.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Third-party contact disclaimer
Google Chrome 365 Sign In
Recommendations
Microsoft customers who use Active Directory Federation Services (AD FS) or Web Application Proxy must deploy one of the following Windows Server updates:
| Product | KB Article | Release Date |
|---|---|---|
| Windows Server 2019 | KB 4534273 | January 14, 2020 |
| Windows Server 2016 | KB 4534271 | January 14, 2020 |
| Windows Server 2012 R2 | KB 4534309 | January 14, 2020 |
The following Microsoft server or client products must also be updated. The updates will be added to this article when they're available. We recommend that you revisit this article regularly for the latest updates.
| Product | KB Article | Release Date |
|---|---|---|
| Exchange Server 2019 | KB 4537677 | March 17, 2020 |
| Exchange Server 2016 | KB 4537678 | March 17, 2020 |
| Project Server 2013 | KB 4484360 | May 12, 2020 |
| Project Server 2010 | KB 4484388 | May 12, 2020 |
| SharePoint Foundation 2013 | KB 4484364 (Cumulative Update: KB 4484358)1 | May 12, 2020 |
| SharePoint Foundation 2010 | KB 4484386 | April 27, 2020 |
| SharePoint Server 2019 | KB 4484259 | February 11, 2020 |
| SharePoint Server 2016 | KB 4484272 | March 10, 2020 |
| SharePoint Server 2013 | KB 4484362 | May 12, 2020 |
| SharePoint Server 2010 | KB 4484389 | May 12, 2020 |
| Skype for Business Server 2019 | Upcoming late Summer 2020 Cumulative Update (tentative) | |
| Skype for Business Server 2015 | April 2020 Cumulative Update (CU 11) |
1 This Cumulative Update contains the fix for the SameSite cookie issue, plus additional fixes unrelated to the SameSite cookie issue. Microsoft recommends installing the Cumulative Update rather than the individual update to ensure your environment has all of the fixes available at the time the Cumulative Update was released.
You must test your applications for all the following scenarios, and determine the appropriate plan based on the outcome of the tests:
- Your application is unaffected by the SameSite changes. In this case, there's no action to take.
- Your application is affected, but your software developers can make the change in time to use the SameSite:None cookie settings. In this case, you should change your application by following the developer guidance in the 'Testing guidelines' section.
- Your application is affected but can't be changed in time. For internal sites, the application can be excluded from the SameSite enforcement behavior in Chrome by using the LegacySameSiteCookieBehaviorEnabledForDomainList setting.
If enterprise customers learn that most of their apps are affected, or if they do not have enough time to test their apps before the graduated release of the feature starting on February 18, they're encouraged to disable the SameSite behavior in computers they govern. They can do this by using Group Policy, System Center Configuration Manager, or Microsoft Intune (or any Mobile Device Management software) until they can verify that the new behavior doesn't break basic scenarios in their apps.
Google has released the following enterprise controls that can be set to disable the SameSite enforcement behavior in Chrome:
- LegacySameSiteCookieBehaviorEnabled, which enables or disables this change.
- LegacySameSiteCookieBehaviorEnabledForDomainList, which allows Chrome to disable this policy on specific domains.
For enterprise customers who develop their applications on .NET Framework, we recommend that they update libraries and set the SameSite behavior intentionally to avoid unpredictable results that are caused by the change in the cookie behavior. To do this, see the guidance in the following Microsoft ASP.NET Blog article:
Also, see the following Google Chromium Blog article for developer guidance about this issue:
Customers who have affected sites that impact consumers or users who are not covered under their Enterprise policies must instruct those users to use a different browser (Edge, Firefox, Internet Explorer) or walk those users through how to disable the settings in Chrome (as shown in the next section) while they fix their applications.
Testing guidelines
Google has published this guidance for developers to prepare for the SameSite changes. Additionally, we recommend that you test your websites and apps by using the following approach.
Use Chrome Beta version 80 to test the scenarios:
Download Chrome Beta version 80:
- For Windows 64-bit: Beta channel for Windows (64-bit)
- For Windows 32-bit: Beta channel for Windows (32-bit)
Start Chrome by using the following additional command line flag:
--enable-features=SameSiteDefaultChecksMethodRigorouslyEnable the SameSite flags. To do this, type
Chrome://flagsin the Address bar, search for SameSite, and then select Enabled for the following options.
More information
The web community is working on a solution to address the abusive use of tracking cookies and cross-site request forgery through a standard that's known as SameSite.
The Chrome team had announced plans to roll out a change in the default behavior of the SameSite functionality starting in a release of Chrome version 78 Beta on October 18, 2019. This rollout will be moved to Chrome version 80 release on February 4, 2020. This change helps improve web security. However, it also breaks authentication flows that are based on the OpenID Connect standard. Therefore, well-established patterns of authentication won't work.
Chrome 365 Office
Checking the Chrome version
If you suspect that your users are using a Chrome version 76 or a later version that has SameSite enabled, you can check the version number by navigating to chrome://settings/help or by selecting the Chrome settings icon, and then selecting Help > About Google Chrome.
For the 77–79 versions of Chrome, check the Chrome://flags in the browser to see whether they have the flags enabled. The setting default will begin to change in Chrome version 80 on a graduated release.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Third-party contact disclaimer
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Nick Chin, 15 January 2020
Suddenly on Thursday the 14/11/2019 NZST a customer was having issues with Dynamics 365 when using Chrome, it was freezing and displaying a blank/white tab. Users would need to restart Chrome to load Dynamics 365 again.
I was unable to replicate this issue on my laptop, however the users affected were using a Citrix client. This problem seems to be more prevalent with users on a server, where multiple users will be active at once.
A user from the Google support thread (https://support.google.com/chrome/thread/19713332?hl=en) found that the 'occlusion' setting in Chrome was causing this to happen. Note, this is a Chrome issue that can affect any web page. This has been nicknamed the 'White Screen of Death' (WSOD) error.
Here is Google's response to this problem:
'Our mission is for Chrome Browser to be fast and efficient. We've been working on an optimization for when Chrome is hidden behind another window, to avoid having to draw content that a user will never see.
This optimization was tested in the Beta channel of Chrome for the past 5 months, and was activated for all users of Chrome 78, on Nov 12.
After the roll out, we received reports that in some virtual environments, Chrome on Windows displays a blank page, which may be because Chrome mistakenly believes it's covered by another window. As soon as we confirmed the reports, the feature was disabled.
If Chrome on Windows is displaying blank pages, restart Chrome. On the next start, this feature will be disabled.
We also want to provide an explanation of how this change was rolled out. For some features, Chrome uses a gradual roll out process that happens more slowly than the main roll out. This allows us to quickly revert a change if we discover a bug that wasn't uncovered in prior testing.
Once we received reports of the problem, we were able to revert it immediately. We sincerely apologize for the disruption this cause'
While Google state the optimization was activated for Chrome 78, other users on previous versions also have report the same problem.
There are two settings for 'occlusion'.
- 'Calculate window occlusion on Windows': 'throttle and potentially unload foreground tabs in occluded windows'. This causing the chrome tabs to hang/freeze and go white. Google has admitted window or tab can be incorrectly detected as covered by a window (occlusion), causing this to happen.
- 'Enable occlusion of web contents': web contents will behave as hidden when it is occluded by other windows.
Google has now disabled the Optimisation, however if this still a problem the Workaround is:
For large networks you can try running the command line: --disable-backgrounding-occluded-windows
You add this command to your target for the shortcut.
Otherwise you will need to manually change the chrome setting:
1. Type 'chrome://flags' into the URL bar
2. Search for 'occlusion'
Google Chrome Microsoft 365
3. Set 'Calculate window occlusion on Windows' to 'Disabled'
4. Set 'Enable occlusion of web contents' to 'Disabled'
5. Restart the browser
