O365 Internet Explorer Protected Mode and security zones

One of the important settings often disregarded that can cause a lot of confusion as to whether the product behaves as expected or not:

Internet Explorer Protected Mode and security zones when working in Office 365.


You log-in to your Sharepoint site and notice that some of the resources are not properly working (for example the picture in the upper corner, or the ribbon does not show all the apps).

Why does this happen?

As you are aware, the pages are a collection of resources spread across workloads (Outlook, Sharepoint, Portals, etc.).In order to be able to access these resources the client will need to authenticate across the various domains (sharepoint.com, outlook.com, etc.). As described here , the O365 authentication will use session cookies and they, as the name suggests, are session based.

This brings us to the following point: Starting with Windows Vista , Internet Explorer has a new security zone protection feature, called protected mode, and that is set up by default for Internet, Intranet and Restricted Security zones.

Understanding and Working in Protected Mode Internet Explorer

The effect of the protected mode is that the sites in these zones will not have access to the folders available to other application (i.e. data available in other zones). This means the cookies available for one session for a site in a Protected mode zone will not be accessible to a site that resides in a separate zone (and the other way around), which will trigger behind the scene repeated authentication attempts.

As an example, consider adding your tenant.sharepoint.com  to the Trusted Sites security zone.

You log in to sharepoint and monitor the traffic using the developer tools Network tab.

You notice a  series of authentication attempts to login.microsoftonline.com and occasionally HTTP 403 responses. The resources tried are usually outlook.com office365.com, etc.

The reason for this happening is exactly the Protected Mode in IE.

To solution and recommendation here is to add your Office 365 domains to the same security zone in IE (preferably trusted Sites):

  • *.microsoftonline.com
  • *.sharepoint.com
  • *.outlook.com
  • *.lync.com
  • *.office365.com
  • *.office.com
  • *.microsoftstream.com
  • *.sway.com
  • *.powerapps.com

To answer the question: "Why wouldn't I just leave everything not added to a particular zone and let IE use the default Internet Zone?"

Well yes, you could (and that is actually the recommended way), but history shows that users like to map web folders in Windows Explorer and Windows and Web Client usually prompt you to add the site (usually *.sharepoint.com) to the trusted Sites zones. So, as soon as you add ONE of the resources to another zones, you need to add ALL resources to that zone in order to prevent above described issues.

NOTE: The behaviour described here is particular to Internet Explorer as Security Zones and Protected Mode are only implemented in IE.

If you were wondering sometimes why some of the apps or recent documents under the waffle are not displayed :