Description
If new Workleap Skills users have email accounts hosted on Microsoft Office365 with Safe Links protection enabled, then the "Verify Account" URLs will be rewritten similar to below.
https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.workleap.com%
Since this Verify Account URL is only a onetime accessible link and Microsoft already accessed this to rewrite as per the Safe Links policy, the link will be expired immediately before reaching the user's mailbox and when the user tries to set the password they will not be redirected to the "Change your password" page, instead it will be redirected to standard login page (sometimes with an invalid username and password error).
The only resolution available for this issue is to add the Workleap Skills domain within the Safe links policy to the Allow List.
Resolution
Important Prerequisites to check before following the instructions:
1. To make sure the new Workleap Skills user impacted by this issue, copy the "Verify Account" URL from the user's mailbox and verify it is written as mentioned above.
2. The below instructions need to be performed by a Microsoft Office365 Admin and we recommend thorough analysis before implementation and reach out Microsoft Support if necessary.
Resolution:
Launch https://security.microsoft.com/safelinksv2 with Office365 admin credentials.
Follow the steps in the Microsoft document to edit the appropriate Safe links policy under Policies & rules in the Defender Admin Center.
Add either of the below Workleap Skills domain urls in the Protection settings, under "Do not rewrite the following URLs" section:
https://*skills.workleap.com
Save the changes.
Now create a new user in Workleap Skills and verify whether the "Verify Account" URL reached user's mailbox without rewrite by Safe links policy and able to set the password.
Refer below Microsoft documentation for more details on Safe Links policy:
Set up Safe Links policies in Microsoft Defender for Office 365