check before: 2025-02-01
Product:
Entra, Exchange, Microsoft 365 Apps, Outlook
Platform:
Android, Developer, iOS, Mac, Online, Web, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:
Details:
Summary:
Legacy Exchange Online tokens are deprecated and will be turned off starting February 2025. Add-ins using these tokens must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should identify and update affected add-ins, and developers must register updated add-ins in Azure. Tooling will be provided for admins to manage this transition.
Details:
Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off.
Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP.
Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.
NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change.
[Recommended actions:]
Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates.
Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates.
Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions.
Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off.
[When will Microsoft turn off legacy Exchange Online tokens?]
Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA.
DateLegacy tokens status
Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell.
Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception
Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed.
[When is NAA generally available for my channel?]
The general availability (GA) date for NAA depends on which channel you are using.
DateNAA General Availability (GA)
Oct 2024NAA is GA in Current Channel.
Nov 2024NAA will GA in Monthly Enterprise Channel.
Jan 25NAA will GA in Semi-Annual Channel.
Jun 25NAA will GA in Semi-Annual Extended Channel.
[How do I check which Outlook add-ins are impacted?]
From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details.
Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs:
makeEwsRequestAsync
getUserIdentityTokenAsync
getCallbackTokenAsync
We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ.
If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site.
[How do I keep up with the latest guidance?]
We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ.
Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title.
Additional resources:
NAA public preview blog
Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins
NAA docs to get started
NAA FAQ
NAA Outlook sample
NAA WXP sample
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-10-02
updated:
2024-11-01
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Add-in Functionality Loss
Outlook add-ins using legacy Exchange Online tokens will stop functioning, leading to disruption in user workflows.
- roles: End Users, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131
Increased Support Requests
Users will likely submit more support tickets due to broken add-ins, increasing the workload for IT support teams.
- roles: IT Support, End Users
- references: https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/
Compliance Risks
Failure to migrate to NAA may lead to compliance issues if add-ins are critical for regulatory processes.
- roles: Compliance Officers, IT Administrators
- references: https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens
Development Overhead
Developers will face increased pressure to update add-ins quickly, potentially leading to rushed implementations and errors.
- roles: Developers, Project Managers
- references: https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1)
User Experience Degradation
Users may experience frustration and decreased productivity due to the sudden unavailability of essential add-ins.
- roles: End Users, Team Leaders
- references: https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
Date | Property | old | new |
2024-11-01 | MC Messages | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024LNAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024NAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample |
2024-11-01 | MC Last Updated | 10/30/2024 22:58:00 | 2024-10-31T20:19:59Z |
2024-10-31 | MC prepare | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/NAApreviewblog https://aka.ms/NAAsampleOffice https://aka.ms/NAAsampleOutlook https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/ https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131 https://github.com/OfficeDev/office-js/issues https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1) https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-makeewsrequestasync-member(1) https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-tokenUn%2Fu0TIrdZt7Lws1LzA%2FtgoU5X8h9ock%3D&reserved=0 | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/NAApreviewblog https://aka.ms/NAAsampleOffice https://aka.ms/NAAsampleOutlook https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/ https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131 https://github.com/OfficeDev/office-js/issues https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1) https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-makeewsrequestasync-member(1) https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-tokenUn%2Fu0TIrdZt7Lws1LzA%2FtgoU5X8h9ock%3D&reserved=0 https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens |
2024-10-31 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
2024-10-31 | MC Summary | Legacy Exchange Online tokens are deprecated, and Outlook add-ins using them will break when deactivated. Add-ins must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should update add-ins and consent to new permissions, while developers must revise code and register the updated add-ins in Azure. A timeline for deactivation is provided, with tooling for admins to manage legacy tokens coming in October 2024. | Legacy Exchange Online tokens are deprecated and will be turned off starting February 2025. Add-ins using these tokens must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should identify and update affected add-ins, and developers must register updated add-ins in Azure. Tooling will be provided for admins to manage this transition. |
2024-10-31 | MC Last Updated | 10/02/2024 01:35:12 | 2024-10-30T22:58:00Z |
2024-10-31 | MC Messages | We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off.
Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] The following table lists the key milestones based on which Office app release channel tenant you're using. Note that the GA date for NAA varies based on channel. We'll soon provide tooling via PowerShell for Microsoft 365 administrators to reenable legacy Exchange tokens for their tenant or specific add-ins if those add-ins are not yet migrated to NAA. NAA availability for Outlook on Mac, Android, iOS, new Outlook, and Outlook on the web will align with the Microsoft 365 Current Channel release. Support for Work and School accounts as well as Microsoft account will be available for Classic Outlook on Windows, Outlook on Mac, Android, and iOS at GA. Work and School accounts will be supported on new Outlook and Outlook on the web at GA, with Microsoft account support shortly thereafter. Date ReleaseChannel(s) Legacy tokens status and NAA GA Oct 2024All channelsNew PowerShell options for enabling/disabling legacy tokens for entire tenant or specific AppIDs. Oct 2024Current ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Current Channel. Nov 2024Monthly Enterprise ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Monthly Enterprise Channel. Jan 2025Current and Semi-Annual ChannelsLegacy tokens turned off for all tenants in Current and Semi-Annual Channels. Admins can reenable via PowerShell. NAA will GA in Semi-Annual Channels. Feb 2025Monthly Enterprise ChannelLegacy tokens turned off for all tenants in Monthly Enterprise. Admins can reenable via PowerShell. June 2025Semi-Annual Extended ChannelLegacy tokens off for all tenants in Semi-Annual Extended Channel. NAA will GA in Semi-Annual Extended Channel. June 2025All channelsAdmins can no longer re-enable legacy tokens via PowerShell; contact Microsoft. Oct 2025All channelsLegacy tokens turned off for all tenants, there will be no re-enable option. Note: If a single tenant uses multiple Microsoft 365 apps / Office release channels, Legacy Exchange Online tokens will be turned off based on the "slowest" release channel. [How do I check which Outlook add-ins are impacted?] Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024LNAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample |
2024-10-31 | MC Title | Exchange Online token deprecation plan | (Updated) Exchange Online token deprecation plan |
2024-10-31 | MC End Time | 11/30/2025 09:00:00 | 2025-12-29T09:00:00Z |
Last updated 1 month ago