[Problem/Bug]: For Microsoft Office 365, login to Google account (with CAA) is successfull on web but fail on desktop app

[jle-pass]

What happened?

Hi,

Our company (as many others) use CAA (Context-Aware-Access) when login to Google accounts.
The browser need an "Endpoint Verification" extension to be installed, it's the case on Microsoft Edge (see capture below).

When we connect to https://www.microsoft365.com, we are redirected to our Google IdP to login and after successfull auth,
we can access to web office dashboard. No problem for web case.

But for desktop case, the Microsoft Office 365 app seems to use an internal Edge webview2 component to login to account.
We see a modal window to login (see below), we are redirected tou our Google IdP, after successfull auth, but we are blocked by CAA because component don't use the "Endpoint Verification" extension.

Q1) How enable the "Endpoint Verification" extension to the webview2 used by Office365 app ?

Q2) As many other apps, why your desktop app don't use the configured system default browser (Edge or Google Chrome) ?

If no solution, we will be forced to migrate Microsoft Office accounts to Google docs.

Greetings.

Importance

Blocking. My app's basic functions are not working due to this issue.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

130.0.2849.46

SDK Version

No response

Framework

Other

Operating System

Windows 11

OS Version

22631.4317

Repro steps

Use an enterprise Google acount
Enable CAA rules (device approved or others)
[for web version] Install "Endpoint Verification" extension on Edge browser
[for desktop app] Install Microsoft Office365 which auto install webview2 component

Repros in Edge Browser

No, issue does not reproduce in the corresponding Edge version

Regression

Don't know

Last working version (if regression)

No response

[champnic]

Hey @jle-pass - This looks to be a bug on the Microsoft Office 365 app (or the auth dialog owner), and not WebView2. WebView2 itself has support for this scenario of adding extensions, but this would need to be done by whatever app is hosting/creating the WebView2 control.

I'm trying to find a contact from the team that owns that app.

[jle-pass]

Hi @champnic

I'm trying to find a contact from the team that owns that app.

Please, have you any news ? a link to follow ?

JL

[champnic]

So far it seems the M365 is using WAM for authentication, which itself isn't using WebView2 (it's using an older WebView). It sounds like that doesn't support this Google Workspace CAA scenario for auth. I'm still waiting to hear back on whether they have work tracking potentially adding support for this, or if there's a workaround. Thanks!

[jle-pass]

Thank you very much in advance for your help.