Teams desktop app on macOS blocks external navigation from personal tab iframe (works fine on Windows/browser/mobile)

Kumar Gaurav 0 Reputation points
2026-06-30T08:57:05.0866667+00:00

We have a custom Teams app with a personal tab that loads our company intranet (WordPress-based) via OAuth 2.0 login with Azure AD.

Issue:

On Teams desktop for macOS, any window.location.href navigation to an external domain from within the personal tab fails silently — the tab goes completely blank with no error shown. This happens even for domains listed in the manifest's validDomains.

Confirmed testing:

  • Navigation to our own app domain (already in validDomains) — works fine
  • Navigation to login.microsoftonline.com (Microsoft's own domain, also added to validDomains) — blank screen
  • Navigation to google.com (control test) — also blank screen
  • Same code on Teams desktop for Windows — works correctly with window.location.href
  • Same code on Teams web (browser) and Teams mobile — works correctly
  • Using microsoftTeams.authentication.authenticate() (popup-based) instead of window.location.href — works correctly on Mac

Teams version tested: 26134.1702.4747.7366

Manifest version: 1.17

Questions:

  1. Is this a known/expected restriction specific to Teams desktop on macOS?
  2. Is there any manifest configuration or permission that allows same-window external navigation on Mac, similar to how validDomains works on Windows?
  3. Is microsoftTeams.authentication.getAuthToken() (Teams SSO) the recommended approach to avoid this issue entirely across all platforms, instead of using redirect or popup-based OAuth flows?

Any guidance on the expected behavior here, or documentation specific to this Mac limitation, would be appreciated.

Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

0 comments No comments

1 answer

Sort by: Most helpful
  1. Michelle-N 18,855 Reputation points Microsoft External Staff Moderator
    2026-06-30T10:36:34.29+00:00

    Hi @Kumar Gaurav

    Based on the detailed technical breakdown you provided, I understand that your custom Teams personal tab (loading a WordPress intranet via Azure AD OAuth 2.0) is failing silently on Teams desktop for macOS during a window.location.href navigation to external domains. The tab goes completely blank even for domains like login.microsoftonline.com which are explicitly defined in your manifest's validDomains. This issue is highly platform-specific, as it works perfectly fine on Teams for Windows, web, and mobile, and works on Mac only when switching to popup-based authentication (microsoftTeams.authentication.authenticate()).

    After researching this behavior and comparing the Teams runtime architecture across platforms, here are the answers to your questions based on Microsoft's framework guidelines:

    -While there is no official documentation stating that window.location.href redirects to external domains are intentionally blocked only on macOS, this is a known side effect of how the under-the-hood webview runtimes differ between platforms. Teams tabs are rendered inside iframes. Microsoft's documentation strictly emphasizes that login pages should not be rendered directly inside an iframe due to clickjacking protection, strict Content Security Policies (CSP), and X-Frame-Options headers. Many external identity endpoints (including login.microsoftonline.com) explicitly block iframe rendering. On Teams for Mac, the webview environment enforces these container and security boundaries much more rigidly, resulting in a silent white screen crash, whereas the Windows desktop runtime might handle iframe navigation state shifts differently.

    -Is there any manifest configuration or permission to allow same-window external navigation on Mac?

    No, there is no manifest setting that can force or bypass same-window external navigation inside the tab frame on Mac. The validDomains array acts purely as an allowlist to tell Teams which domains your app is permitted to communicate with or load as an iframe source. It does not grant permission to override iframe restrictions, authentication security headers, or the underlying desktop client's runtime security behavior.

    -Teams SSO via getAuthToken() is the absolute best practice and the highly recommended approach to resolve this issue entirely across all platforms. By utilizing Teams SSO with Microsoft Entra ID (Azure AD), your app avoids the iframe redirect issue altogether. Instead of redirecting the user's frame to a login page, the Teams client fetches an access token silently and hands it directly to your tab. To implement this, you must ensure your manifest includes a properly configured webApplicationInfo section and handle the token exchange on your WordPress backend. If your authentication flow cannot use full SSO immediately, you should continue using microsoftTeams.authentication.authenticate(). This opens a safe, separate popup window specifically designed to execute external OAuth flows and handle redirects. Once login is complete, the popup triggers notifySuccess() to pass the token back to your personal tab safely.

    I hope this information helps you align your intranet app with Teams' architectural standards


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.