This error occurs because Microsoft’s login page explicitly sets the HTTP response header
X-Frame-Options: DENY (or the modern equivalent Content-Security-Policy: frame-ancestors 'none').

That header instructs the browser not to load the page inside an iframe for security reasons — preventing clickjacking and other embedding attacks.
Since ServiceNow’s E-Signature (SSO) approval feature by default tries to load the identity-provider login page inside an embedded frame within the ServiceNow UI, the browser blocks it.

Full-Page Redirect - The most reliable and secure workaround is to use a full-page redirect instead of loading the Microsoft login page inside an iframe. In this approach, when the user initiates the SSO E-signature approval, they are redirected directly to the Microsoft login page in the main browser window. After completing the authentication process, Microsoft then redirects the user back to ServiceNow with the required authentication response or approval confirmation. This method fully complies with Microsoft’s security policies and avoids the “X-Frame-Options: DENY” restriction, as it doesn’t attempt to embed the login page. Implementation typically involves updating the UI action or script to perform a redirect using window.location.href instead of rendering an embedded frame or modal.

Popup Window - Popup window can be used to keep the approval process within the same ServiceNow session while still respecting Microsoft’s security rules. Instead of an iframe, a small new browser window is opened using window.open() to display the Microsoft login page. Once the user completes authentication, the popup can communicate back to the parent ServiceNow window using window.opener.postMessage() and then close itself automatically. The parent window can then refresh or update the approval status. This option provides a smoother in-context user experience but requires additional client-side scripting to handle message passing and state updates securely.