Update to inline image representation in Outlook on the web and new Outlook for Windows [MC1174855]

Message ID: MC1174855

[Introduction]

Starting November 15, 2025, Outlook on the web and the new Outlook for Windows will begin rolling out an update to how inline images are represented in the HTML body of emails. This change is part of Microsoft’s ongoing security improvements and will affect how Outlook add-ins identify and process inline images using the attachment ID. Specifically, the update transitions from using tokenized image URLs to a more secure method using content IDs and request headers.

[When this will happen:]

This change will begin rolling out on November 15, 2025, to Production users. Rollouts to other environments will begin after Production rollouts are 100% complete.

[How this affects your organization:]

What’s changing:

Previously, inline images in the HTML mail body were represented with a URL containing the attachment ID as a query parameter. Developers could parse the HTML and do one of the following.

• Extract the ID from the URL and match it with the attachment ID they already had.
• Use the entire URL in the src attribute to get the Base64 value of the inline image.

Going forward, the URL for inline images will no longer contain the attachment ID. As a result, your current parsing logic won’t be able to correlate the inline image in the mail body with the attachment ID or Base64 value of the image.

What will happen:

• Images will be represented by a content ID (cid) in the src attribute. 
• Add-ins that extract the attachment ID from the image URL will no longer be able to correlate images reliably.
• With this change, add-ins must:
  • Parse the HTML message body and retrieve the cid value from the src attribute of the <img> element.
  • Use Office.context.mailbox.item.getAttachmentsAsync to retrieve an AttachmentDetailsCompose object.
  • To restore correlation, match the contentId property from the object to the cid value in the HTML.
  • To retrieve base64 value of the image attachment, use office.context.mailbox.item.getAttachmentContentAsync. 

Example AttachmentDetailsCompose object:

[
{
  "id": "AAkALgAAAAAAHYQDEapmEc2byACqAC/EWg0AW4xUByFbp0CroCNphMYEEAADMWhyywAAARIAEADghOrwhp8zR7umVQRBkN51",
  "name": "image.png",
  "contentType": "image/png",
  "size": 2371,
  "attachmentType": "file",
  "isInline": true,
  "contentId": "7957e11a-ce80-438b-87cd-611b3d6a3ec4"
}
]

[What you can do to prepare:]

• Update your add-in’s parsing logic to retrieve the cid value from the src attribute of inline images.
• Use getAttachmentsAsync to match the content ID with the image.
• Ensure your add-in supports both the previous and updated implementations during the rollout.
• Test your add-in to confirm it correctly identifies and processes inline images using the new method.
• Update internal developer documentation if it references the previous method of parsing inline image URLs.
• Communicate this change to helpdesk or support teams if they assist with Outlook add-in troubleshooting.
• Review the sample code provided in the Microsoft 365 Developer Blog: Changes to inline images in Outlook.
• Leave a comment on this post or in Microsoft 365 Developer Blog: Changes to inline images in Outlook if you have any questions.
• Watch the October 2025 Office Add-ins Community Call (YouTube link)

[Compliance considerations:]

Placing the content ID in the src attribute matches how classic Outlook on Windows represents inline images.

Compliance Area	Explanation
Does the change alter how existing customer data is processed, stored, or accessed?	Inline image retrieval now uses secure headers instead of tokenized URLs, changing how image data is accessed.
Does the change modify how users can access, export, delete, or correct their personal data within Microsoft 365 services?	The method for accessing inline image data in emails is updated, which may affect how add-ins handle personal data.

Source: Microsoft

Latest Posts