multi-account-containers icon indicating copy to clipboard operation
multi-account-containers copied to clipboard
verified publisher icon mozilla

Containers no longer work with Microsoft Teams and Schools

Open paulmartinidea opened this issue 2 years ago • 10 comments

Before submitting a bug report

  • [X] I updated to the latest version of Multi-Account Container and tested if I can reproduce the issue
  • [X] I searched for existing reports to see if it hasn't already been reported

Step to reproduce

Open new containers attempt to login to site ( in this case AWS Managment Console which is using SSO and Endpoint protection) A bad request 400 is received once the login process completes

Actual behavior

An error message is presented when attempting to login

Expected behavior

Login is successful.

Additional informations

This only started happening since upgrading Firefox to version v113, downgrading to v112 allows this to work as expected.

The main difference we can see from our sign in logs is that in version 113 the "Device ID" and "Join Type" is not present on the Azure side.

Provide a copy of Troubleshooting Information page (optional)

No response

paulmartinidea avatar May 16 '23 07:05 paulmartinidea

We are experimenting the same issue. Container tabs no longer send the Device info/state (Device Type, Compliancy state, etc). Without this info, we cannot login as AAD conditionnal access requires us to be working from Hybrid joined device.

matboulard avatar May 16 '23 13:05 matboulard

We also have the same issue.

RajasGujarathi avatar May 23 '23 12:05 RajasGujarathi

Could the issue be firefox itself along with Containers? I would suggest filing a report on BugZilla as well because the issue may be Firefox itself.

TheNightRider12 avatar May 23 '23 23:05 TheNightRider12

Logging on Firefox without containers works on version 113 just not when using the container

paulmartinidea avatar May 24 '23 06:05 paulmartinidea

I've reported this defect in Bugzilla

Chouffy avatar May 31 '23 09:05 Chouffy

Hi all,

The bugzilla defect was closed, as it is an intented behavior from this defect. There's a solution however (from the later defect):

  1. Get the container ID - this is available in containers.json in your Firefox profile directory, in a key called userContextId (47001 for example)
  2. In about:config, create a boolean key network.http.windows-sso.container-enabled.CONTAINERID, where CONTAINERID is from step 1. Set this key to true
  3. Enjoy Windows SSO working in the given container!

It would be great to put in the [FAQ], but I don't have the edit rights. In the meantime, this bug can be closed

Chouffy avatar Jun 01 '23 08:06 Chouffy

@Chouffy Great work!

It would be great to put in the [FAQ], but I don't have the edit rights.

@dannycolin Could you help to enhance documentation?

achernyakevich-sc avatar Jun 01 '23 09:06 achernyakevich-sc

Done. I'll keep this bug open for now so we can redirect any duplicate to this one.

dannycolin avatar Jun 01 '23 16:06 dannycolin

The "solution" is a just a work-around and ignores the actual problem noted in the OP that Device ID is not passed in the token by the container tabs. Having tried it, it also does not work for Azure tenants. Whilst I now get multiple accounts (that I do not want) to choose from when signing into a tenant, the device ID is still not passed and my login fails Conditional Access Policies that require a Trusted Device. To get through CAP, I need the device ID to be sent and I don't want to enable SSO just to do that. Non-container tabs work fine and account isolation works fine in general between containers, but lack of device ID breaks the usefulness of the containers. I really don't want to have to go back to using Edge!

MrMellie avatar Sep 05 '24 11:09 MrMellie

I was not able to confirm that the proposed workaround has any effect in Firefox on Linux. I'm using Firefox on Ubuntu Desktop 24.10 (Wayland). If I open MS Teams outside of a container, everything seems to work just fine. If I do it inside of a container, however, I'm getting errors. In particular, the "Files" section of a Team doesn't show anything.

Image

Looking at the browser console, I'm seeing the following errors. It seems like Teams is trying to get a file list

POST | https://MYSITE.sharepoint.com/sites/MYSITE/_api/web/GetListUsingPath(DecodedUrl=@a1)/RenderListDataAsStream?@a1='/sites/MYSITE/Freigegebene Dokumente/MYFOLDER'&RootFolder=/sites/MYSITE/Freigegebene Dokumente/MYFOLDER&TryNewExperienceSingle=TRUE

This request fails with the following error.

{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Attempted to perform an unauthorized operation."}}}

Potentially unrelated, I'm also seeing this CORS error.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://eu-mobile.events.data.microsoft.com/OneCollector/1.0/?cors=true&content-type=application/x-json-stream&w=0. (Reason: CORS request did not succeed). Status code: (null).

vic-t avatar Feb 07 '25 00:02 vic-t