Search code examples
office365single-page-applicationoffice-jsoutlook-web-addins

Outlook / Office Add-in fails with error: AADSTS900561: The endpoint only accepts POST requests. Received a GET == SOLVED

We currently have an Office 365 Outlook add-in deployed in our environment that authenticates against Azure Active Directory. In testing a Windows 10 (1909) upgrade with Office (1908) client installed, we encountered this error that rendered our add-in useless.

AADSTS900561: The endpoint only accepts POST requests. Received a GET request.

Issue:

Outlook add-in on (specifically) Windows 10 version 1909 with Outlook Office version 1908 cannot successfully load an add-in that uses SSO to authenticate against AAD. Authentication fails.

Symptoms:

During the authentication process within the Outlook Add-in pane, Outlook pops out of the client to a new Edge browser window directed to autologon.microsoftazuread-sso.com and displays the following error: AADSTS900561: The endpoint only accepts POST requests. Received a GET request.

Solution

  • Resolution:

    To correct the problem, the following AppDomain needs to be added to the add-in’s manifest file and reloaded within the Outlook client:

    <AppDomain>https://autologon.microsoftazuread-sso.com</AppDomain>

    Notes:

    • The authentication provider changed when the Outlook client’s add-in rendering engine moved from IE to Edge.

    • We specifically tested the Outlook 1908 client running on Windows 10 1909 only. I suspect it affects the Outlook Client on Windows 10 where the following condition is met: Windows 10 ver. >= 1903 & Office 365 ver >= 16.0.11629 (Reference). This page also discusses potential Edge issues, but not this one specifically.

    • I assume this would impact all add-ins for Office like Excel, Word, etc. but have not tested this.

    • The add-in running within a web browser, Outlook mobile client for iOS and Android, and Outlook client for Mac are currently not affected as they do not get redirected to autologon.microsoftazuread-sso.com.

    • Fiddler traces of a working Windows 10 and Outlook client versus the upgraded one coupled with this article clued us into the solution

    • For an add-ins using AAD credentials to authenticate in browsers, Outlook client (Mac & PC) and Outlook mobile client, these must be in the add-in’s manifest file:

      <AppDomain>https://login.microsoftonline.com</AppDomain> (Browsers)

      <AppDomain>https://device.login.microsoftonline.com</AppDomain> (Mobile Outlook)

      <AppDomain>https://autologon.microsoftazuread-sso.com</AppDomain> (Outlook on Windows 10 with Edge rendering engine )

    • Be sure to increment the <version/> number in the add-in's manifest file so that centrally managed and store based add-in's will receive the updated manifest.