Over the past several months, some users have encountered a frustrating scenario when interacting with email links protected by Microsoft's Safe Links feature. This security tool, designed to protect users from malicious URLs in real-time, was inadvertently causing problems for certain one-time token-based links—particularly those used in password resets or account verification

The Problem

When an email containing a one-time token link (e.g., https://portal…/verify?token=<unique_token>) was protected by safe links, Microsoft would try to reach out to the link with HEAD method:

HEAD https://portal..../verify?token=<unique_token>

To verify safety, Safe Links may perform a background request to this URL before the user clicks it. Unfortunately, this background scan could consume the one-time token, rendering it invalid when the user actually tried to access it. The result? Confusing and frustrating "invalid token" errors for end-users, and increased support load for IT teams.

The Fix

We're pleased to share that this issue has now been fully addressed. Safe Links no longer prematurely consumes one-time authentication tokens when scanning links in the background.

Key changes:

• Safe Links now identifies one-time-use token patterns and avoids triggering them during background safety scans.

• Background requests that would activate sensitive tokens are now bypassed or modified to prevent token consumption.

• No changes are required on your end—this fix has been rolled out in the new version of portal and consumer catalog in v10.0.10 and will also be available in v10.0.8.3.

What You Need to Know

• Users no longer see token errors caused by Safe Links.

• No changes are needed in how you generate one-time links.

• If your platform were noticing this issue and disabled the safe links check in Microsoft outlook, you may now review that logic again.