I m facing a weird issue with microsoft safe links. When we send user unlock emails, microsoft changes the urls with its safe links and when a user clicks the unlock link from email microsoft opens the page in background first for security reasons, user being unlocked and token becomes invalid. So it shows unlock token is invalid when the page loads but user is already unlocked.
Is there anyone had the same issue?
Thanks.
Modify your authentication endpoint to handle preview traffic without burning the auth code. The request from safelinks / Exchange Online Protection won't include the same headers as a normal client request; review the your logs from instances where safelinks burned an auth code to get a sense for the kinds of requests you can reject as unauthorized. Ensure your endpoint is not completing the auth flow for HEAD requests (meaning return a 405 if the request's HTTP method is HEAD); if safelinks is also making GET requests, something like validating the UserAgent header before proceeding with the auth flow should probably work. You don't provide any info about your link structure or auth strategy beyond it involving some form of single-use token exchange, but you should also check the IETF RFC to confirm you're properly adhering to whichever protocol you're using.
Additional thoughts:
href attributes. Their URL parsing has historically been pretty primitive and a lot of people get around it by finding something that confuses safelinks' matching strategy (e.g., https://halon.io/blog/fooled-microsofts-safe-link-technology).