How Install Office 2019 on old Mac OS when you're stuck on a blank authentication page

install-office-2019-old-mac.md

Pre-requisites

• Have an old Mac Laptop with an old MacOS version that you need Microsoft Office installed on (works with Intel-based Mac running High Sierra)
• Have an Office 365 License
• You attempted to install Office and, when prompted to input your account details to authenticate in each Office App, the authentication window turns blank (in my case, it occurs right after inputting the account email)

• Although it presents similiar issues when authenticating, I can't tell for sure if it works with Office 2016 (which I also installed, but moved on from before trying out this approach). This method was tested with Office 2019 alone.

Limitations

• This method works for most of the apps bundled in Office 2019 (tested with Excel, Word, PowerPoint and OneNote - I think Outlook doesn't require it, although I haven't set it up). However, I couldn't get it to work for Microsoft Teams, as it seems to follow an alternate authentication approach that I haven't investigated too deeply as I wasn't invested in getting that App specifically to work.
• In its current state, this method will require you to move quickly to manually select, alter and submit the intercepted request. It may take a few attempts to do it quickly enough (from what I tested, it seems like you need to do it in under 30s). Maybe this method could be replaced by a small mitmproxy add-on to overcome this

Method details

The method involves intercepting the App request made from the authentication window (i.e. the embedded browser window that pops up when the Microsoft Office App attempts to authenticate to your Microsoft Account) that leads to the blank page, using that request URL in a browser to complete the login, capturing the result code and then forcing the authentication page window to redirect to that same code URL. In other words, we will run part of the authentication process from a separate browser in order to see it completed and then simply return the auth code to the authentication window via a specially-crafted redirect response.

Intercepting and modifying the authentication window requests may take some time to learn and to execute quickly enough. Take some time to understand how it works in order to do that, as the authentication page times out after a certain period of time without a response. I highly recommend learning the tool shortcuts to avoid wasting any time in that process.

Steps

1. Have a working browser available in the machine (in my case I had to install the latest available Firefox for MacOS High Sierra)
2. Download and install Office 2019 for Mac
   1. Here you should be able to find a version that works in your case: https://learn.microsoft.com/en-us/officeupdates/update-history-office-for-mac
3. Install this proxy tool for intercepting and modifying the authentication requests: https://mitmproxy.org/
   1. You need to install an older version that is compatible with your macOS version: https://mitmproxy.org/downloads/
4. Start up the proxy tool (in my case, it opened a Terminal window with a text-based UI)
5. Enable proxy in the computer network settings (I've set it to proxy both http and https traffic via 127.0.0.1:8080)
   1. The tool should be showing flows in the Terminal UI

6. Install the tool certificates and have the machine trust them in order to intercept and manipulate https traffic: https://docs.mitmproxy.org/stable/concepts-certificates/
   1. This should lead you to the following local URL, which the proxy will intercept: mitm.it
   2. Remember to set this certificate to "Always Trust"

8. Select one Office App that you wish to authenticate under and start the App

   1. After providing your email, the authentication page should go blank when requesting the password
   2. Look for the last request made by the authentication window in the mitmproxy tool before it went blank. Focus on that URL with the arrow keys and hit enter to highlight the request details. Copy that URL
      1. In my case, the URL looked like this: https://login.live.com/oauth20_authorize.srf?client_id=...
      2. After copying it from the Terminal, I also had to remove some spaces that got copied from the terminal window
   3. Disable the computer proxy setting (otherwise the next step won't work)
   4. Open the captured URL in a browser (I've done it with Firefox) and finish the authentication process:

   

   5. Now you should have been redirected to a blank page with an URL containing a code query parameter. Copy that URL
      1. In my case, the URL looked like this: https://login.live.com/oauth20_authorize.srf?lc=1046#access_token=...
   6. Re-enable the computer proxy setting

9. Let's now authenticate the Office App

   1. Go back to the authentication window, click back

   2. In the mitm proxy UI, configure an intercept command. We'll use it to intercept and modify the response to the request that leads to the blank page this time: https://docs.mitmproxy.org/stable/mitmproxytutorial-modifyrequests/. This is the setting I used:

      1. Intercept, to hold back from responding to authentication requests (shortcut i): /oauth20_authorize.srf
      2. (RECOMMENDED) Filter, to ensure that only relevant flows will show up (shortcut f): login.live.com

   3. Run through the authentication steps for the Office App once more. Right after that, go to the mitm proxy tool UI and look for the intercepted request flow and hit enter. Intercepted request flows will appear in red

   4. Within the intercepted request, modify the following response properties:

      1. Response headers (shortcut e 9, then a to add row):
         1. Key: Location
         2. Value: <Full URL with the access token you copied earlier>
      2. Response code (shortcut e c): 302

   5. Once both response code and headers are altered, go back to the flow list and hit a to allow response through

   6. Take a look at the Office App authentication window - it should have been able to move forward with the authentication process. You should now have your App authenticated with your Microsoft Account.

   7. You can re-use the same code URL for all Office apps you wish to authenticate to (earlier in the document I listed the Apps it worked with)

10. Once you're done, remove the proxy setting from your network settings and feel free to uninstall mitmproxy

11. I also recommend removing the mitmproxy certificates from your local keychain as you'll no longer need them (or, at least, set them as not trusted).

Alternate method - mitmproxy addon (WIP)

This alternate method is a slight variation of the method above that involves the aid of a mitmproxy addon to automate some of the steps. Executing this method requires some level of familiarity with the Mac Terminal application.

1. Copy the office-auth-redirect.py addon file to the same folder where the mitmproxy application is present
2. To launch the proxy, open the Terminal application and head over to the folder where the mitmproxy app and proxy addon are located. Here is an example where the mitmproxy application is located in the Downloads folder:

$ cd ~/Downloads

# Assuming that mitmproxy and the pyhton addon script are here:
$ ./mitmproxy.app/Contents/MacOS/mitmproxy -s office-auth-redirect.py

3. This should start the proxy with the addon script. Now, attempt to log into the Office App.
   1. If you have Firefox installed, this should open a Window in it where it says that you are attempting to access a page via unsafe means. Disable the proxy from the network settings and reload the page. It should get you through the steps required to authenticate to your Office 365 account (beware: it won't need to happen if you are logged into Office 365 already). You should end up in the URL with the Auth code at the end of the flow (it's a blank page, like the one shown in the steps from the regular method above). Copy that Auth code URL
   2. If you don't have Firefox installed, while in the mitmproxy UI, hit E and look for a line that starts with Head over to this URL in your browser if you haven't yet: . Copy the URL from that line and head over to a browser with it, after disabling the proxy in the networking settings. Copy the Auth URL at the end of the authentication process.
4. Re-enable the proxy in the Network settings
5. Close the mitmproxy tool in the Terminal (hit q to quit and y to confirm)
6. Open the office-auth-redirect.py file with a text editor (e.g. you could use vim from the Terminal)
7. Add the Auth URL you acquired to the AUTH_URL variable (don't forget to retain the quotes) and save the file.
   1. With this done, the script will behave differently: instead of opening a browser window, it will immediately redirect authentication attempts to the appropriate Auth code URL instead.
8. Restart mitmproxy with the same command line once again
9. Try to authenticate into Office from the Office App once again. This time, you should see the App successfully authenticating into Office 365

office-auth-redirect.py

"""mitmproxy addon to aid in logging into office from old Mac"""

from mitmproxy import http

import logging, os

# Once you have the auth code URL, place it in the variable below (remember to keep it between double quotes!)
AUTH_URL=""

def request(flow: http.HTTPFlow) -> None:
    if flow.request.url.startswith("https://login.live.com/oauth20_authorize.srf") and AUTH_URL == "" and "AppleWebKit" in flow.request.headers["User-Agent"]:
        logging.info("Head over to this URL in your browser if you haven't yet: %s"%(flow.request.url))
        os.system("open /Applications/Firefox.app -g '%s'"%(flow.request.url))

def response(flow: http.HTTPFlow) -> None:
    if flow.request.url.startswith("https://login.live.com/oauth20_authorize.srf") and AUTH_URL != "":
        logging.info("Redirecting to AUTH_URL...")
        flow.response.headers["Location"] = AUTH_URL
        flow.response.status_code = 302

@ajoslin103 interesting… did you generate this script with AI?

@rafaelfonte Portions of it, yes. I've been working on several other bash+docker scripts that have to run in very tightly controlled environments and it's nice not to have to debug everything

I've been absolutely loving Windsurf (by codeium) and have just yesterday finished a 3 week effort to get a new module written almost entirely without touching the code. in the end it only worked when I gave it super detailed instructions and walked it thru how I wanted the problem solved. When I gave it free reign it overcreated (in just almost valid ways) and failed 3 times.

@rafaelfonte than you so much, with these instructions I was able to sign into Office apps with an old High Sierra Mac.

Unfortunately, it does not work completely with OneDrive - following the instructions, after releasing the intercepted call I was able to get past the blank window as for the other apps, but in the case of OneDrive I'm then stuck on a subsequent "Loading" page... Any idea how to continue from there?

Big thanks! Got it working, High Sierra & Office 2019.

I used the WIP addon method. I still needed to go to the network, setup proxies, install mitmproxy certificate and trust it. It is not clear that these steps are required at the WIP recipe.

MITM script (Deepseek's work, my testing...) which fixes the issue automatically.

I have just used it to activate my Office 2016 on my High Sierra (OSX's webkit lacks polyfill / Object.fromEntries ...).

I produced this before finding out about your efforts and hopefully it will help someone out there:

from mitmproxy import http

POLYFILL = b"""
<script nonce="polyfill">
// Ultra-compatible polyfill
if(!Object.fromEntries){
    Object.fromEntries=function(e){
        var o={},i,p;
        try{
            if(Array.from){
                Array.from(e).forEach(function(p){o[p[0]]=p[1]});
            }else{
                for(i=0;i<e.length;i++)o[e[i][0]]=e[i][1];
            }
        }catch(e){
            for(p in e)o[e[p][0]]=e[p][1];
        }
        return o;
    };
    console.log("Polyfill loaded");
}
</script>
"""

def response(flow: http.HTTPFlow) -> None:
    try:
        # Robust host checking that works with any input type
        host = flow.request.host
        target = "login.live.com"

        # Convert both to strings in a safe way
        if isinstance(host, bytes):
            host_str = host.decode('utf-8', errors='ignore')
        else:
            host_str = str(host)

        # Case-insensitive comparison
        if target.lower() not in host_str.lower():
            return

        # Only modify HTML responses
        if not flow.response or not flow.response.content:
            return

        content_type = flow.response.headers.get("content-type", "")
        if isinstance(content_type, bytes):
            content_type = content_type.decode('utf-8', errors='ignore')

        if "text/html" not in content_type.lower():
            return

        # Convert content to bytes if needed
        content = flow.response.content
        if isinstance(content, str):
            content = content.encode('utf-8')

        # Remove CSP headers
        csp_headers = ["content-security-policy", "x-content-security-policy"]
        for header in csp_headers:
            if header.encode() in flow.response.headers:
                del flow.response.headers[header.encode()]

        # Find injection point
        injection_points = [b"<head>", b"<html", b"<!DOCTYPE", b"<body"]
        for point in injection_points:
            if point in content:
                flow.response.content = content.replace(
                    point,
                    point + POLYFILL,
                    1
                )
                print(f"✓ Injected into {flow.request.url}")
                return

        # Final fallback: prepend
        flow.response.content = POLYFILL + content
        print(f"✓ Prepended to {flow.request.url}")

    except Exception as e:
        print(f"✗ Error: {type(e).__name__}: {str(e)}")

Hi @brightidea123, can you please give some more details on how exactly your code can be used to activate Office 2016 on High Sierra? Many thanks in advance.

@koosdevos

step-by-step instructions to:

• Install and set up MITMProxy on macOS High Sierra
• Trust the MITMProxy CA certificate system-wide
• Configure the system proxy settings
• Run MITMProxy with the necessary script and arguments

Activating Office 2016 on macOS High Sierra with MITMProxy (Step-by-Step Guide)

Older Macs running macOS High Sierra can encounter a blank sign-in window when trying to activate Microsoft Office 2016. This happens because the embedded web view in Office (which uses High Sierra’s older WebKit engine) doesn’t support some modern web features needed by the Office 365 login page. To resolve this, we will use a man-in-the-middle proxy tool (mitmproxy) along with a custom script to inject a fix into the authentication page. This method requires a valid Office 2016 license tied to your Microsoft account (it doesn’t bypass licensing – you must sign in with your own credentials that have an Office license). The steps below will guide you through setting up mitmproxy, configuring your Mac to use it, trusting its certificate, and then activating Office 2016 by signing in successfully.

Prerequisites

• Office 2016 installed on your Mac High Sierra system.
• An Office 365 or Office 2016 license associated with your Microsoft account (you'll sign in with this account to activate).
• Administrator access on the Mac (to install software and trust certificates).
• Internet connectivity (for contacting Microsoft’s activation servers via the proxy).
• mitmproxy tool downloaded and installed (steps below).
• The MITM proxy script provided by @brightidea123 (the Python code that will inject the necessary fix into the login page) – save this script as a file on your Mac (e.g., office2016_login_fix.py). This script was confirmed to fix the blank activation page issue for Office 2016 on High Sierra by injecting a polyfill for missing JavaScript features.

Steps to Set Up MITMProxy and Activate Office 2016

1. Install mitmproxy on your Mac: Download and install the mitmproxy tool, which will allow us to intercept and modify web traffic. If you use Homebrew, you can install it by running brew install mitmproxy in Terminal. Otherwise, download a compatible version from the [official mitmproxy website](https://mitmproxy.org/) (High Sierra may require using an older mitmproxy release). After installation, you should be able to open Terminal and run mitmproxy --version to verify it’s installed. (The gist we’re following suggests using an older mitmproxy build for compatibility with High Sierra, so if the latest version doesn’t run on your OS, grab a previous release from the mitmproxy downloads page.)

2. Save the Office activation fix script: Copy the Python script provided by brightidea123 (from the GitHub Gist comment) into a text file on your High Sierra Mac. You can use a simple text editor (e.g., TextEdit in plain text mode or Nano in Terminal) to create the file. Save the file as, for example, office2016_login_fix.py. Ensure the file includes the entire code snippet starting with from mitmproxy import http and defining the response function. This script is what modifies the Office login page on the fly by injecting a JavaScript polyfill for the Object.fromEntries function, which High Sierra’s web view lacks. (The code specifically targets the Microsoft login page and injects a small script to add the missing Object.fromEntries functionality, allowing the page to load properly.)

3. Launch mitmproxy with the script: Open Terminal on your Mac and navigate to the folder where you saved the script (e.g., cd ~/Desktop if you saved it on the Desktop). Run mitmproxy with the script by entering:

   mitmproxy -s office2016_login_fix.py

   This command starts the mitmproxy proxy and loads your script (-s means run this Python script as a mitmproxy addon). You should see the mitmproxy interface open in the Terminal (a text-based UI). By default, mitmproxy will listen as an HTTP/HTTPS proxy on 127.0.0.1 port 8080. Leave this Terminal window open and running while you proceed (it is now waiting to intercept network traffic). If everything is set up correctly, you’ll later see log messages in this window when the script injects the fix (e.g., lines indicating “✓ Injected into ...” once the Office sign-in page is intercepted).

4. Configure macOS to use the proxy for web traffic: Now you need to direct your Mac’s internet traffic through the mitmproxy. Go to System Preferences > Network, select your active network interface (e.g. Wi-Fi), then click Advanced and go to the Proxies tab. Enable both Web Proxy (HTTP) and Secure Web Proxy (HTTPS), and set the proxy server address to 127.0.0.1 and Port to 8080 for both protocols. Click OK and then Apply to save the settings.

   The screenshot above shows the proxy settings in macOS High Sierra. Both HTTP and HTTPS proxies are pointed to the local mitmproxy at 127.0.0.1:8080. Enabling these ensures that Office’s sign-in request will be routed through our proxy tool.

5. Install and trust the mitmproxy certificate: Because Office’s sign-in uses HTTPS, we need to allow mitmproxy to decrypt and re-encrypt this secure traffic. Mitmproxy generates its own Certificate Authority (CA) certificate for this purpose. With the proxy still running and the system proxy enabled, open a web browser on your Mac and navigate to http://mitm.it/. This will load mitmproxy’s certificate installation page (since your traffic is going through the proxy, mitmproxy intercepts this request and serves a local page). On the mitm.it page, click the Apple icon or the link for macOS to download the certificate (mitmproxy-ca-cert.pem). Once downloaded, double-click the certificate file to open it in Keychain Access. You may be prompted to add the certificate to your keychain (add it to the login keychain by default).

   Next, find the newly added “mitmproxy” certificate in Keychain Access (it will likely be in the Certificates category). Right-click it and choose Get Info, or simply double-click it to open its details. Expand the Trust section, and for “When using this certificate,” select “Always Trust.” You will need to enter your administrator password to confirm this change. Marking it as “Always Trust” is crucial; it tells your system to trust the proxy’s certificate so that secure connections won’t be blocked. After this, the certificate icon may show a blue plus or a white checkmark, indicating it’s trusted.

   The image above shows the mitmproxy certificate being set to “Always Trust” in Keychain Access. By downloading the certificate via mitm.it and trusting it, you allow mitmproxy to act as an intermediary for HTTPS connections without MacOS or Office raising security errors. Be sure to authenticate the trust change with your admin password when prompted.

6. Sign in to Office 2016 to activate: Everything is now in place to fix the blank login issue. Ensure mitmproxy is still running and your proxy settings are enabled. Launch an Office 2016 app that needs activation (for example, Microsoft Word). When prompted to Sign In, enter your Microsoft account email and proceed. This time, when the Office activation dialog tries to load the password page, it should not remain blank – it will load the Microsoft login page properly (it may take a moment). The script running in mitmproxy will detect the Office sign-in page (from the domain login.live.com) and inject the missing JavaScript polyfill into it on the fly. This injection allows the page to function in High Sierra’s older web view. You can then enter your Microsoft account password and complete any 2FA if prompted, just as you would in a normal browser. After submitting your credentials, Office should accept the login and activate.

   • Watch the Terminal output: As you sign in, you should see messages in the mitmproxy Terminal window indicating that the script found the page and injected the polyfill (look for lines with “✓ Injected into [https://login.live.com/...”](https://login.live.com/...”)). This feedback confirms the fix was applied.
   • Activation success: Once signed in, the blank window should close and the Office application will open normally, now logged in with your account. You can verify activation by going to the app’s Help > About or Account section – it should show your email/account and that the product is licensed. (If the login page still doesn’t load or remains blank, double-check that the proxy is enabled and the certificate is trusted. Also ensure your account is indeed linked to an Office license.)

7. Disable the proxy and clean up (after activation): After your Office 2016 is activated, you should turn off the proxy settings to return your Mac’s network to normal. Go back to System Preferences > Network > Proxies and uncheck the Web Proxy and Secure Web Proxy boxes, then apply the changes. This will restore your internet connection to bypass the local proxy. You can then go to the Terminal running mitmproxy and press Q to quit (then Y to confirm exit if using the interactive interface). It’s also a good idea to remove the mitmproxy certificate from your Keychain or at least set it back to “Never Trust” now that you’re done, for security purposes. Simply find the mitmproxy certificate in Keychain, right-click and delete it (or change its trust setting to default). If you ever need to run this fix again, you can always re-install the certificate.

By following the above steps, you’ve effectively worked around the High Sierra blank authentication page issue. Mitmproxy, combined with the custom script, injected a missing web capability into the Office sign-in dialog, allowing you to log in with your own Microsoft credentials and activate Office 2016 on your older Mac. This gives you full access to your Office apps without upgrading your OS. Enjoy your activated Office 2016, and remember that you can re-use this method in the future if you encounter the blank sign-in window again (just run mitmproxy with the script and enable the proxy/cert as done here). Finally, since this solution was intended for an end-user, we made sure to use straightforward steps – no coding experience is required beyond copying the script and running commands as shown. You have now successfully signed in and activated Office on High Sierra using the mitmproxy workaround. ✅

Thank you so much, works like a charm! The only thing we had to adapt was the ip-address for the proxy and to use https://mitm.it instead of http://mitm.it.