/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
When you open the server side add-in, you face an error "Failed to load Identity token" and a blank screen, else a pop-up error from Microsoft "Something went wrong. [7q6ck]. This guide consists of all the details required to resolve such issues and other issues experienced in NAA.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Environment
SAP Cloud for Customer
Reproducing the Issue
- Open your server side add-in in your outlook desktop or Outlook web
- You face a blank add-in with one of the two errors "Failed to load Identity token" and a blank screen, else a pop-up error from Microsoft "Something went wrong. [7q6ck]"
Cause
On 17/Feb/25 Microsoft began deprecation of legacy tokens and enforcing the switch to the Nested App authentication approach for applications. This deprecation has led to these error in the server side integration add-in.
Details on this deprecation can be found in the below article from Microsoft
Resolution
1. [Optional] Enable Legacy Tokens (Temporary Workaround) allowing time for migration preparations until June 2025:
https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#turn-on-legacy-exchange-online-tokens
If the client has enabled Legacy Tokens for their O365 tenant , please inform us so we can update the customer’s Groupware
tenant to enforce the use of Legacy Tokens. If this step is skipped, the Groupware tenant will continue using NAA (New
Authentication Approach) by default. In that case, the user should proceed directly to Step #2.
2. Update the end user SAP Add-in installation. (Possible solution for the following errors [GWI-E01, GWI-W01, GWI-W03])
As the vendor, we have updated the SAP Add-in manifest files across all instances to ensure compatibility with NAA authentication.
Since the SAP Add-in is not available in the Microsoft Office Store, users are strongly recommended to reinstall the Add-in to
upgrade it and prevent issues related to outdated manifest files. (Refer to the section on deploying Add-in updates for more details -
Nested app authentication and Outlook legacy tokens deprecation FAQ - Office Add-ins | Microsoft Learn)
Recommended installation options:
- Install from the Groupware Admin panel with “Install SAP Add-in” (is not supported for the users located in the “Microsoft 365
OAuth (EWS API) - App-only sign-in” email server connectivity organization type and organization where installation of 3rd party
Add-in(s) by the end user is not allowed or prohibited due to security restrictions): - Using SAP Add-in manifest.xml file (O365 Admin centralized deployment or use custom Add-in installation option):
3. Grant Admin Consent for Nested App Authentication for the “SAP Cloud for Customer, server-side integration” Azure
Enterprise Application (this step could be skipped if the customer allows the end user to consent permission for the 3rd party
application on their end).
Since NAA requires new delegated Graph permissions, our application will request the corresponding user consent for these
permissions. The outcome will vary depending on the client's configuration. Users may: Grant consent themselves; Be prompted to
provide a justification for why the permission is needed, which must then be approved by an admin; Receive a message directing
them to contact their administrator to obtain the necessary permissions.
- As recommended (see article - Nested app authentication and Outlook legacy tokens deprecation FAQ - Office Add-ins | Microsoft
Learn) by Microsoft, we provide a specific link that can be executed by a customer admin and includes the necessary
permissions for NAA used by the Sidebar. The {Organization} should be replaced by the customer’s Microsoft Entra Tenant ID
(See - How to find your tenant ID - Microsoft Entra | Microsoft Learn )
While only three permissions will be explicitly requested, Microsoft automatically includes the "offline_access" permission
in the consent process. - A successful execution will not display any response. If no errors occur, the admin can close the corresponding window. (A list of
current permissions required for NAA along with their purposes could be found in the section “Application permission overview“). - Alternatively, the Admin can grant all required application permissions directly from the Entra Portal by navigating to the
SAP application.
Please note that since we are actively working on the Graph implementation, which will be available to clients in 2025, the application
already includes additional Graph API permissions. However, this list is not final, and further changes may be introduced in the future.
(A list of current permissions required by the application along with their purposes could be found in the section“Application permission overview“).
4. Ensure Outlook Client versions meet the requirements. (Possible solution for the following errors [GWI-E01, GWI-W02, GWI-W03])
5. Verify that all user workstations and mobile devices have supported Outlook client versions -
https://learn.microsoft.com/en-us/javascript/api/requirement-sets/common/nested-app-auth-requirement-sets
6. CAE. (Possible solution for the following errors [GWI-E04]).
If SAP infrastructure IPs are not added to the list of trusted locations and excluded from the relevant CAE policies, Microsoft Entra detects
the new token activity as originating from an untrusted location. As a result, access is denied because the IP address falls outside the allowed range.
- Add the required SAP Cloud for customer infrastructure IP addresses to the IP ranges location list and mark them as trusted.
(Section - Additional information: Productive landscape (IP ranges per Scale Units)).
1. Log in to the Microsoft Azure portal as a Microsoft 365 administrator
2. Search for and select Microsoft Entra Conditional Access
3. Go to Manage >Named locations, then click+ IP ranges locations
4. In the Name field, enter a descriptive name for the IP range:
5. Add the corresponding Revenue Grid IPs from the Allowlist the IP addresses and other related resources - SAP Cloud for Customer Server-Side Integration (SSI),
based on your scale unit:
- Click the Plus icon ()
- In the Enter a new IPv4 or IPv6 range field paste the SAP
- Click Add
- Repeat for each IP
- Check mark as trusted location
- Click create
6. The new location will appear in the Named Locations list.
- Update all relevant Conditional Access policies to exclude All trusted networks and locations.(Additional information)
Network in Conditional Access policy - Microsoft Entra ID
Continuous access evaluation in Microsoft Entra - Microsoft Entra ID
Network in Conditional Access policy - Microsoft Entra ID
- Log in to the Microsoft Azure portal as a Microsoft 365 administrator
- Search for and select Microsoft Entra Conditional Access
- Go to Policies
- For each policy applied to users of Revenue Grid solutions
i. Open the policy
ii. Click the link in the network section
iii. In the form that appears, click Exclude and select All trusted networks and locations
iv. In the bottom of the page, click save
v. After completing these steps, users will be able to access the Revenue Grid Sidebar without being blocked by Continuous Access Evaluation (CAE) policies.
7. Once the above steps are completed, please raise a support incident with SAP to request the activation of Nested App Authentication (NAA) for the relevant CRM instance,
ensuring the CRM URL is included. Enabling NAA must be done on our end and can only be carried out by the Groupware SSI team.
This step is necessary only if the customer has re-enabled Exchange Legacy tokens in their O365 environment and the Groupware tenant was explicitly configured to use Legacy
authentication in step #1. If step #1 was skipped, no changes are needed — the Groupware tenant will continue using NAA by default.
What Users Will See and Experience in the UI:
In case Microsoft has enforced NAA for the client and the customer's organization fully complied with the requirements, the end users attempting to open the SAP Add-in
will encounter the following scenarios:
If the organization allows user consent for permissions without admin involvement:
- Users must accept the new permissions when prompted to continue using the SAP Add-in.
If the organization does not allow user consent for permissions: - Users must contact their O365 Administrator for assistance.
- Only an admin can grant the necessary permissions.
- This approach prevents the consent prompt from appearing for each user upon their first use of the
Add-in with NAA enabled
Unexpected behavior if compliance requirements and necessary operations were not completed.
Error Messages and Possible Causes:
- Unable to load the identity token. Please restart Microsoft Outlook."
Possible reasons:
a. [Error code: GWI-E02]The user closed the permission consent popup without action.
Solution: Do not close the consent windows. Approve permission consent request from the dialog.
b. [Error code:GWI-E03] The new authentication method (NAA) is turned off in the Groupware tenant, and legacy authentication is disabled in customer O365. SAP add-in can’t authenticate.
Solution: Follow steps #2 - #7 or apply temporary workaround #1. - “Server-side synchronization was unable to authorize your account”
Possible Reasons:
a. [Error code:GWI-E04] Product-related IPs were not added to the trusted location for Conditional Access policies.
Solution: Follow the guidance from step #6. - "Something went wrong" – Generic Error
Possible reasons
a. [Error code: GWI-E03] NAA is not enabled for the specific tenant on the Groupware Integration side
Solution: Follow step #7 to request NAA enablement for the customer Groupware tenant.
Understanding Warning and Error Messages Related to Authentication in the Add-In:
Error messages: These occur when the add-in is non-functional due to the client's infrastructure not meeting the technical requirements needed to work with the new authentication model - NAA:
GWI-E01- The add-in is not functional. Attempt to use the new authentication method (NAA), and the system could also not show the alternative dialog credential prompt. Legacy authentication is also disabled in O365, and the SAP add-in could not load.
GWI-E02- The add-in is not functional. The user closed the login/consent screen manually, and because legacy authentication is also disabled, the add-in can't load.
GWI-E03 - The add-in is not functional. The new authentication method (NAA) is turned off in the Groupware tenant, and legacy authentication is also disabled in customer O365. SAP add-in can’t authenticate.
GWI-E04 - The add-in is not functional. The customer configured the Conditional Access Policies based on location.
Warning messages: Appear when the add-in is still functional but uses a legacy authentication method, which will only be supported until June 2025.
GWI-W01 - The SAP Add-in is functional. Indicates that SAP add-in is using an outdated setup (legacy SAP Add-in manifest) with a hardcoded tenant URL, which is compatible only with legacy authentication.
GWI-W02 - The SAP Add-in is functional. The Outlook Mail client doesn’t support the new authentication method (NAA).
GWI-W03 - There was a problem using the new authentication method (even with fallback), but since legacy authentication is still enabled in the customer O365, the add-in can continue working until June/25.
GWI-W04 - The new authentication method NAA is turned off in Groupware tenant settings, but legacy authentication is still active in O365 - SAP add-in continues to function using the legacy authentication.
Keywords
Server side integration, blank addin, Microsoft, 7q6ck, legacy tokens, deprecation, Outlook, OWA, Outlook Web , KBA , LOD-CRM-GW-SCC , Invisible CRM - Smart Cloud Connect Solution , How To
Product
Attachments
| Pasted image.png |
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)