Browser and network considerations
Even after admin consent and tenant settings are in place, browser and network policies can still produce sign-in popups or "access denied" errors. This page lists the common causes and fixes to share with your IT/desktop team.
Icon Map runs in an iframe
The Icon Map editor runs inside the Fabric shell as a frame served from app.iconmap.ai, and the embedded viewer runs as a frame on your own sites from embed.iconmap.ai. Two consequences:
- Third-party cookies / tracking prevention. Strict third-party-cookie blocking or tracking prevention can break the sign-in broker. Allow cookies for the Icon Map and Microsoft domains (below).
- Popup blockers. The sign-in flow may open a popup. Allow popups for
*.fabric.microsoft.comand the Icon Map domains so authentication can complete.
Sites to allow
Where your organization maintains a trusted-sites or cookie allow-list, include:
*.fabric.microsoft.comandapp.powerbi.comlogin.microsoftonline.comapp.iconmap.aiapi.iconmap.aiembed.iconmap.ai(only where you embed published maps)
Conditional Access
Conditional Access policies (multi-factor auth, compliant-device or managed-device requirements, sign-in frequency) apply to the resources Icon Map calls — OneLake/Azure Storage, Azure Data Explorer, and the Power BI service. In locked-down tenants these can surface as extra prompts or access-denied errors. If users hit unexpected prompts, review CA policies that target those resources.
Per-source sign-ins are separate
Some layers connect to external services that have their own authentication, unrelated to your Fabric/Entra setup:
- WMS services with OAuth or key-based auth.
- ArcGIS sign-in for importing feature layers.
These prompts are expected — they authenticate you to the third-party service, and the credentials are stored securely with the map item rather than in the layer configuration.
External resources and CORS
Several layers load resources directly from a URL — a WMS or WMTS service, XYZ / PMTiles raster or vector tiles, an image overlay, a custom 3D-terrain DEM in World Effects, or a live feed. Browsers enforce CORS on these cross-origin requests: if the host doesn't return the right CORS headers, the browser blocks the request and the layer won't load.
To handle this, Icon Map automatically falls back to a server-side fetch proxy (hosted at api.iconmap.ai). It first tries to load the resource directly in the browser; if that's blocked by CORS — or by mixed content, where an http:// resource is requested from the https:// page — it re-fetches the same resource through the proxy, which retrieves it server-side (where CORS doesn't apply) and returns it to the map. Any request that carries a credential (an API key or a stored secret) always goes through the proxy so the secret stays server-side and never reaches the browser.
For administrators this means:
- No per-host CORS configuration is required — the fallback is automatic and per-resource.
- Keep
api.iconmap.aiin your trusted-sites / allow-list so the proxy is reachable. - The proxy only forwards the request; it doesn't retain the resource. Authenticated external services still authenticate as described above.
Next steps
- Grant admin consent — removes the in-product consent popups.
- Security & permissions — how credentials and identity are handled.