Browser and network considerations

Even after admin consent and tenant settings are in place, browser and network policies can still produce sign-in popups or "access denied" errors. This page lists the common causes and fixes to share with your IT/desktop team.

Icon Map runs in an iframe

The Icon Map editor runs inside the Fabric shell as a frame served from app.iconmap.ai, and the embedded viewer runs as a frame on your own sites from embed.iconmap.ai. Two consequences:

  • Third-party cookies / tracking prevention. Strict third-party-cookie blocking or tracking prevention can break the sign-in broker. Allow cookies for the Icon Map and Microsoft domains (below).
  • Popup blockers. The sign-in flow may open a popup. Allow popups for *.fabric.microsoft.com and the Icon Map domains so authentication can complete.

Sites to allow

Where your organization maintains a trusted-sites or cookie allow-list, include:

  • *.fabric.microsoft.com and app.powerbi.com
  • login.microsoftonline.com
  • app.iconmap.ai
  • api.iconmap.ai
  • embed.iconmap.ai (only where you embed published maps)

Conditional Access

Conditional Access policies (multi-factor auth, compliant-device or managed-device requirements, sign-in frequency) apply to the resources Icon Map calls — OneLake/Azure Storage, Azure Data Explorer, and the Power BI service. In locked-down tenants these can surface as extra prompts or access-denied errors. If users hit unexpected prompts, review CA policies that target those resources.

Per-source sign-ins are separate

Some layers connect to external services that have their own authentication, unrelated to your Fabric/Entra setup:

  • WMS services with OAuth or key-based auth.
  • ArcGIS sign-in for importing feature layers.

These prompts are expected — they authenticate you to the third-party service, and the credentials are stored securely with the map item rather than in the layer configuration.

External resources and CORS

Several layers load resources directly from a URL — a WMS or WMTS service, XYZ / PMTiles raster or vector tiles, an image overlay, a custom 3D-terrain DEM in World Effects, or a live feed. Browsers enforce CORS on these cross-origin requests: if the host doesn't return the right CORS headers, the browser blocks the request and the layer won't load.

To handle this, Icon Map automatically falls back to a server-side fetch proxy (hosted at api.iconmap.ai). It first tries to load the resource directly in the browser; if that's blocked by CORS — or by mixed content, where an http:// resource is requested from the https:// page — it re-fetches the same resource through the proxy, which retrieves it server-side (where CORS doesn't apply) and returns it to the map. Any request that carries a credential (an API key or a stored secret) always goes through the proxy so the secret stays server-side and never reaches the browser.

For administrators this means:

  • No per-host CORS configuration is required — the fallback is automatic and per-resource.
  • Keep api.iconmap.ai in your trusted-sites / allow-list so the proxy is reachable.
  • The proxy only forwards the request; it doesn't retain the resource. Authenticated external services still authenticate as described above.

Next steps