When you set Microsoft Edge tracking prevention to Strict, you may find that you cannot sign in to Microsoft 365 apps like Outlook, Word, or Teams on Windows 11. The browser blocks cross-site tracking scripts that are required for Microsoft authentication services to work correctly. This article explains why Strict mode breaks the sign-in flow and provides the exact steps to restore access without reducing your overall privacy protection.
Key Takeaways: How to Sign In to Microsoft 365 When Tracking Prevention Is Set to Strict
- Edge Settings > Privacy, search, and services > Tracking prevention > Strict: The Strict level blocks authentication cookies from Microsoft login domains, causing sign-in failures.
- Edge Settings > Privacy, search, and services > Tracking prevention > Balanced: Switching to Balanced allows Microsoft authentication scripts to run while still blocking most third-party trackers.
- Edge Settings > Cookies and site permissions > Manage and delete cookies and site data > Allow sites to save and read cookie data: Enabling this setting ensures that login session cookies are stored correctly for Microsoft 365.
Why Microsoft Edge Tracking Prevention Strict Blocks Microsoft 365 Sign-In
Microsoft Edge includes three levels of tracking prevention: Basic, Balanced, and Strict. The Strict level blocks the largest number of trackers, including cross-site tracking scripts that are essential for federated authentication. When you attempt to sign in to Microsoft 365, the Edge browser prevents the login.microsoftonline.com domain from setting session cookies or running JavaScript that validates your credentials. This results in repeated redirects, blank sign-in pages, or error messages such as “Something went wrong” or “Can’t reach this page.”
The root cause is that Strict mode treats Microsoft authentication endpoints as potential trackers because they use cross-site redirects during the sign-in process. Microsoft 365 relies on OAuth 2.0 and OpenID Connect protocols, which redirect you between multiple domains like login.microsoftonline.com, account.microsoft.com, and the specific app domain (outlook.office.com, teams.microsoft.com). Strict mode blocks these redirects and prevents the browser from storing the authentication state.
What Tracking Prevention Strict Actually Blocks
Strict mode blocks known trackers from loading on any site. It also prevents the browser from storing third-party cookies. Microsoft authentication uses third-party cookies during the sign-in flow, even though they are not tracking cookies. Because Edge cannot distinguish between a tracker cookie and an authentication cookie, it blocks both. This is a deliberate design choice to maximize privacy, but it breaks many legitimate web services, not just Microsoft 365.
Steps to Fix Microsoft 365 Sign-In by Adjusting Tracking Prevention
- Open Microsoft Edge settings
Click the three-dot menu in the upper-right corner of the Edge browser window. Select Settings from the dropdown menu. - Navigate to Privacy, search, and services
In the left sidebar, click Privacy, search, and services. This section contains all tracking prevention controls. - Change tracking prevention level to Balanced
In the Tracking prevention section at the top of the page, select Balanced. Balanced blocks known trackers from third-party sites you have not visited but allows authentication scripts from Microsoft domains to run. This change takes effect immediately. - Allow cookies for Microsoft 365 domains
Still under Privacy, search, and services, scroll to the Cookies and site permissions section. Click Manage and delete cookies and site data. Ensure the toggle for Allow sites to save and read cookie data (recommended) is turned on. If it is off, turn it on. - Clear existing site data for Microsoft domains
In the same Cookies and site data page, click See all cookies and site data. In the search box, type microsoft. Click the trash icon next to each entry for microsoft.com, live.com, office.com, and login.microsoftonline.com. This removes any corrupted or blocked cookies that may still cause sign-in issues. - Restart Edge and test sign-in
Close all Edge windows and reopen the browser. Navigate to any Microsoft 365 app like outlook.office.com or office.com. Sign in with your work or school account. The sign-in page should load fully and allow you to complete authentication.
Alternative Method: Add Microsoft 365 Domains as Exceptions in Strict Mode
If you prefer to keep Strict tracking prevention for most sites, you can add Microsoft authentication domains as exceptions. This method allows you to maintain Strict mode for general browsing while permitting Microsoft sign-in scripts to run.
- Open Edge settings and go to Privacy, search, and services
Click the three-dot menu and select Settings. In the left sidebar, click Privacy, search, and services. - Add Microsoft domains to the Allowed list
Scroll down to the Tracking prevention section and click Exceptions. In the text box, type login.microsoftonline.com and click Add. Repeat for account.microsoft.com, outlook.office.com, teams.microsoft.com, and office.com. - Close settings and test sign-in
Close the Settings tab. Navigate to a Microsoft 365 app and sign in. The exceptions allow authentication scripts to load even while Strict mode is active for all other sites.
Other Issues That Cause Microsoft 365 Sign-In Failures on Windows 11
Sign-In Page Shows Blank White Screen with No Content
A blank sign-in page often occurs when Edge blocks JavaScript from running on the login domain. This can happen even on Balanced mode if an extension like an ad blocker or script blocker interferes. Disable all extensions temporarily by going to Edge Settings > Extensions and toggling each one off. If the sign-in page loads, re-enable extensions one at a time to find the culprit.
Error AADSTS50011: The Reply URL Does Not Match
This error appears when the browser redirects to a different URL than the one registered for the Microsoft 365 app. It is common when you use a bookmark that points to an old sign-in page or when a proxy or VPN changes the request URL. Clear your browser cache and cookies for all Microsoft domains, then navigate directly to the app URL manually instead of using a bookmark.
Account Picker Loops Without Completing Sign-In
If the account picker keeps reappearing after you select an account, the browser is not storing the session cookie. This is a direct symptom of tracking prevention blocking third-party cookies. Follow the steps above to set tracking prevention to Balanced or add exceptions. Also ensure that third-party cookies are not blocked globally in Edge Settings > Cookies and site permissions > Block third-party cookies. This setting should be off for Microsoft 365 sign-in to work.
| Item | Balanced Tracking Prevention | Strict Tracking Prevention |
|---|---|---|
| Blocks known trackers | Yes | Yes |
| Blocks unknown trackers | No | Yes |
| Allows Microsoft authentication scripts | Yes | No |
| Allows third-party cookies for sign-in | Yes | No |
| Recommended for Microsoft 365 users | Yes | No |
After adjusting your tracking prevention settings, you should be able to sign in to Microsoft 365 without errors. If you chose the Balanced level, your privacy remains well protected because Balanced still blocks most third-party trackers. As an advanced step, open Edge Settings > Privacy, search, and services and enable Send Do Not Track requests to further reduce tracking without breaking authentication.