ADAL JS and zones in IE and Edge

Active Directory Authentication Library for JavaScript (ADAL JS) is actually a very nice library to take care of your authentication against Azure Active Directory. Unfortunately the library doesn’t work with IE or Edge as soon as the web application that is using the ADAL JS library is in a different security zone than “https://login.microsoftonline.com”. The reason for this is that IE and Edge don’t allow cookie sharing between zones. Since “https://login.microsoftonline.com” should not reside in any security zone this means that your application cannot be in any zone either. Now why is this such a huge problem?

Most of the applications you register in Azure Active Directory will in fact be internal applications. And most of these applications will reside in the “Local intranet” zone or “Trusted sites” zone. And exactly those applications won’t work with the ADAL JS library if the client is using IE or Edge, unless you add “https://login.microsoftonline.com” to that same zone.

Adding “https://login.microsoftonline.com” to a specific zone, might solve you issue for one application, but if you have applications in both the “Local intranet” zone and the “Trusted sites” zone, you are out of luck as sites (including “https://login.microsoftonline.com”) cannot be part of multiple zones.

In each and every other browser you will not encounter any of these issues as the don’t have this cookie sharing limitation.

I wonder if when they will solve this issue, because the advice to just remove “protected mode” for the “Internet zone” on the ADAL JS GitHub site, makes me shiver when I realize that these same people wrote this authentication library.

Reliable Microsoft

Microsoft has released a new future proof development method, with the last 3 versions of SharePoint. We’ve seen Sandboxed solutions, CAM applications (or should I say Add-ins?) and now they are about to release the ‘SharePoint Framework’. SharePoint is responsive now and our enterprise collaboration platform will work much better on mobile devices.

Public sites, like WordPress, must be response and mobile first nowadays, but collaboration sites for office workers can and should definitely focus on desktop (only?). If you want to add a limited, search driven, mobile view on top, sure, go ahead, but not mobile first. Weird as it may seem, in the enterprises I visit, most employees still use a desktop or laptop for office work. I don’t see a lot of employees with an empty desk, writing Word documents with their thumbs.

The funny part is that in January 2015 Microsoft discontinued the “SharePoint Online Public Website feature” for the following reason: “As part of the evolution of the Office 365 service, we periodically evaluate the capabilities of the service to make sure that we’re delivering the utmost value to customers. After careful consideration, we concluded that for public websites, Office 365 customers would be better served by third-party providers whose core competency is public websites. Therefore, we’ve made the difficult decision to discontinue the SharePoint Online Public Website feature so that we can focus our efforts and investments on delivering capabilities in Office 365 that will bring more value to our customers.”

So they first acknowledge that they have no real understanding of public web sites, and now they change the collaboration UI so it will behave more like public web sites? Okay…

The real problem I – as a consultant – face however, is that they’ve become a completely unreliable partner. The biggest laugh I had is when they suddenly shutdown coded Sandboxed solutions a few weeks ago. Yes, they’ve been telling us not to use coded Sandboxed solutions anymore because they are deprecated, but unfortunately the CAM model is still not up to par yet. Sometimes it is simply not possible to update or upgrade your coded Sandbox solution towards the CAM model. The reason they gave for stopping these coded Sandboxed solution now, is that they are not able to maintain this infrastructure as it does not scale. However…
When several migration tools stopped working, they somehow could make an exception for just those tools. These exceptions are however not available for paying customers. So not alone the infrastructure is still in place – even though they said they cannot do that anymore – but we now know who Microsoft values more, and it is apparently not its paying customers.

Now what can I advice my clients? I cannot tell them to use the “Yet Another Dev Method” for their future proof customizations. We’ve seen that these new development methods are as future proof as whip cream. So maybe the only honest advice I can give them is to either change their processes so they fit OOTB SharePoint, or not to use SharePoint at all anymore.

One last thing. I’m going to be bold here and make an prediction on when and what the new future proof development method for SharePoint web parts will be. In 2019 the new future proof development method for SharePoint web parts is: Web Components!