Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
Based on the detailed technical breakdown you provided, I understand that your custom Teams personal tab (loading a WordPress intranet via Azure AD OAuth 2.0) is failing silently on Teams desktop for macOS during a window.location.href navigation to external domains. The tab goes completely blank even for domains like login.microsoftonline.com which are explicitly defined in your manifest's validDomains. This issue is highly platform-specific, as it works perfectly fine on Teams for Windows, web, and mobile, and works on Mac only when switching to popup-based authentication (microsoftTeams.authentication.authenticate()).
After researching this behavior and comparing the Teams runtime architecture across platforms, here are the answers to your questions based on Microsoft's framework guidelines:
-While there is no official documentation stating that window.location.href redirects to external domains are intentionally blocked only on macOS, this is a known side effect of how the under-the-hood webview runtimes differ between platforms. Teams tabs are rendered inside iframes. Microsoft's documentation strictly emphasizes that login pages should not be rendered directly inside an iframe due to clickjacking protection, strict Content Security Policies (CSP), and X-Frame-Options headers. Many external identity endpoints (including login.microsoftonline.com) explicitly block iframe rendering. On Teams for Mac, the webview environment enforces these container and security boundaries much more rigidly, resulting in a silent white screen crash, whereas the Windows desktop runtime might handle iframe navigation state shifts differently.
-Is there any manifest configuration or permission to allow same-window external navigation on Mac?
No, there is no manifest setting that can force or bypass same-window external navigation inside the tab frame on Mac. The validDomains array acts purely as an allowlist to tell Teams which domains your app is permitted to communicate with or load as an iframe source. It does not grant permission to override iframe restrictions, authentication security headers, or the underlying desktop client's runtime security behavior.
-Teams SSO via getAuthToken() is the absolute best practice and the highly recommended approach to resolve this issue entirely across all platforms. By utilizing Teams SSO with Microsoft Entra ID (Azure AD), your app avoids the iframe redirect issue altogether. Instead of redirecting the user's frame to a login page, the Teams client fetches an access token silently and hands it directly to your tab. To implement this, you must ensure your manifest includes a properly configured webApplicationInfo section and handle the token exchange on your WordPress backend. If your authentication flow cannot use full SSO immediately, you should continue using microsoftTeams.authentication.authenticate(). This opens a safe, separate popup window specifically designed to execute external OAuth flows and handle redirects. Once login is complete, the popup triggers notifySuccess() to pass the token back to your personal tab safely.
I hope this information helps you align your intranet app with Teams' architectural standards
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.