check before: 2025-02-17
Product:
Entra, Exchange, Microsoft 365 Apps, Microsoft Graph, Outlook
Platform:
Android, Developer, iOS, Mac, Online, Web, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:

Details:
Summary:
Starting February 17, 2025, legacy Exchange Online user identity and callback tokens will be turned off for all Microsoft 365 tenants, affecting Outlook add-ins. Identify impacted add-ins, contact publishers for updates, and consider opting out if necessary. For more information, refer to the provided resources and FAQ links.
Details:
Updated February 3, 2025: We have updated the content.
This is a reminder that starting February 17th, legacy Exchange Online user identity and callback tokens will be turned off across all Microsoft 365 tenants. This impacts all Outlook add-ins that request a legacy Exchange Online token to identify the user or make Exchange web services (EWS) calls. This change only applies to Exchange Online and doesn't apply to Exchange on-premises.
Recommended actions
Identify any add-ins that are impacted. Determine if your tenant has any deployed Outlook add-ins that are impacted by this change. For more information, see Which add-ins in my Organization are impacted.
Contact add-in publishers. Microsoft has worked with many Outlook add-in publishers to update their add-ins to use Entra ID tokens and Microsoft Graph. If you identify any impacted add-ins on your tenant, we recommend that you reach out to the publishers of those add-ins to learn more about their plans to update.
Can I opt out of this change?
You can opt out of the February 17th change if all the following are true.
Your tenant has add-ins impacted by this change.
The impacted add-ins will not be updated to no longer use legacy Exchange Online tokens by February 17th.
The add-ins are necessary for your organization.
To opt out, run a command to set legacy Exchange Online tokens to remain on. It takes up to 24 hours for the command to take effect. If you turn tokens on before February 17th, your tenant will be exempt from the February 17th change. Tokens will remain on until June 2025 or until you explicitly turn them off.
What happens on February 17th?
Microsoft will begin deploying a change to all users worldwide in Microsoft 365 tenants that will turn off the issuance of legacy Exchange online tokens. The deployment will take several weeks to deploy to all users. If an Outlook add-in requests a legacy Exchange token, and token issuance is turned off, the add-in will receive an error. Outlook add-ins that still request legacy Exchange Online tokens will be broken by this change. Please note that even after legacy tokens are turned off, already issued legacy tokens will continue to be valid for approximately 24 hours.
Note that since the change is applied per user, and deployed over several weeks, you could see some user's affected while others are not.
Where do I get more information?
The Outlook legacy tokens deprecation FAQ is updated regularly and contains information about tools and how to upgrade add-ins. We recommend you refer to the Q&A section for Microsoft 365 administrators. We also recommend you share the FAQ with any developers in your organization that need to update LOB Outlook add-ins using legacy Exchange Online tokens.
Additional resources
Turn legacy Exchange Online tokens on or off
Legacy Exchange Online token deprecation FAQ
Enable single sign-on in an Office Add-in with nested app authentication
NAA Outlook sample
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-10-02
updated:
2025-02-04
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Outlook Add-ins Failure
Outlook add-ins that rely on legacy Exchange Online tokens will fail to function, leading to disruptions in user workflows and productivity.
- roles: End Users, IT Administrators
- references: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#which-add-ins-in-my-organization-are-impacted
User Experience Degradation
Users may experience errors and interruptions when attempting to use affected Outlook add-ins, resulting in frustration and decreased efficiency.
- roles: End Users, Support Staff
- references: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/authentication#callback-tokens
Increased Support Requests
The change will likely lead to an increase in support requests from users facing issues with non-functional add-ins, straining IT support resources.
- roles: Support Staff, IT Administrators
- references: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#which-add-ins-in-my-organization-are-impacted
Operational Disruption
Critical business operations relying on specific add-ins may be disrupted, impacting overall organizational productivity and service delivery.
- roles: End Users, Business Analysts
- references: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/turn-exchange-tokens-on-off
Compliance Risks
If essential add-ins are not updated, organizations may face compliance risks if they rely on these tools for regulatory or reporting purposes.
- roles: Compliance Officers, IT Administrators
- references: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/authentication#exchange-user-identity-token
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

change history
Date | Property | old | new |
2025-02-04 | MC Messages | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024NAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample | Updated February 3, 2025: We have updated the content.
This is a reminder that starting February 17th, legacy Exchange Online user identity and callback tokens will be turned off across all Microsoft 365 tenants. This impacts all Outlook add-ins that request a legacy Exchange Online token to identify the user or make Exchange web services (EWS) calls. This change only applies to Exchange Online and doesn't apply to Exchange on-premises. Recommended actions Identify any add-ins that are impacted. Determine if your tenant has any deployed Outlook add-ins that are impacted by this change. For more information, see Which add-ins in my Organization are impacted. Contact add-in publishers. Microsoft has worked with many Outlook add-in publishers to update their add-ins to use Entra ID tokens and Microsoft Graph. If you identify any impacted add-ins on your tenant, we recommend that you reach out to the publishers of those add-ins to learn more about their plans to update. Can I opt out of this change? You can opt out of the February 17th change if all the following are true. Your tenant has add-ins impacted by this change. The impacted add-ins will not be updated to no longer use legacy Exchange Online tokens by February 17th. The add-ins are necessary for your organization. To opt out, run a command to set legacy Exchange Online tokens to remain on. It takes up to 24 hours for the command to take effect. If you turn tokens on before February 17th, your tenant will be exempt from the February 17th change. Tokens will remain on until June 2025 or until you explicitly turn them off. What happens on February 17th? Microsoft will begin deploying a change to all users worldwide in Microsoft 365 tenants that will turn off the issuance of legacy Exchange online tokens. The deployment will take several weeks to deploy to all users. If an Outlook add-in requests a legacy Exchange token, and token issuance is turned off, the add-in will receive an error. Outlook add-ins that still request legacy Exchange Online tokens will be broken by this change. Please note that even after legacy tokens are turned off, already issued legacy tokens will continue to be valid for approximately 24 hours. Note that since the change is applied per user, and deployed over several weeks, you could see some user's affected while others are not. Where do I get more information? The Outlook legacy tokens deprecation FAQ is updated regularly and contains information about tools and how to upgrade add-ins. We recommend you refer to the Q&A section for Microsoft 365 administrators. We also recommend you share the FAQ with any developers in your organization that need to update LOB Outlook add-ins using legacy Exchange Online tokens. Additional resources Turn legacy Exchange Online tokens on or off Legacy Exchange Online token deprecation FAQ Enable single sign-on in an Office Add-in with nested app authentication NAA Outlook sample |
2025-02-04 | MC Last Updated | 10/31/2024 20:19:59 | 2025-02-03T23:35:49Z |
2025-02-04 | MC prepare | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/NAApreviewblog https://aka.ms/NAAsampleOffice https://aka.ms/NAAsampleOutlook https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/ https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131 https://github.com/OfficeDev/office-js/issues https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1) https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-makeewsrequestasync-member(1) https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-tokenUn%2Fu0TIrdZt7Lws1LzA%2FtgoU5X8h9ock%3D&reserved=0 https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/naafaq/ https://aka.ms/NAAsampleOutlook https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/turn-exchange-tokens-on-off https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-token https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#which-add-ins-in-my-organization-are-impacted https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off |
2025-02-04 | MC Summary | Legacy Exchange Online tokens are deprecated and will be turned off starting February 2025. Add-ins using these tokens must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should identify and update affected add-ins, and developers must register updated add-ins in Azure. Tooling will be provided for admins to manage this transition. | Starting February 17, 2025, legacy Exchange Online user identity and callback tokens will be turned off for all Microsoft 365 tenants, affecting Outlook add-ins. Identify impacted add-ins, contact publishers for updates, and consider opting out if necessary. For more information, refer to the provided resources and FAQ links. |
2024-11-01 | MC Messages | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024LNAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024NAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample |
2024-11-01 | MC Last Updated | 10/30/2024 22:58:00 | 2024-10-31T20:19:59Z |
2024-10-31 | MC prepare | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/NAApreviewblog https://aka.ms/NAAsampleOffice https://aka.ms/NAAsampleOutlook https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/ https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131 https://github.com/OfficeDev/office-js/issues https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1) https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-makeewsrequestasync-member(1) https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-tokenUn%2Fu0TIrdZt7Lws1LzA%2FtgoU5X8h9ock%3D&reserved=0 | https://aka.ms/NAAdocs
https://aka.ms/NAAFAQ https://aka.ms/NAApreviewblog https://aka.ms/NAAsampleOffice https://aka.ms/NAAsampleOutlook https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/ https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131 https://github.com/OfficeDev/office-js/issues https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1) https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-makeewsrequestasync-member(1) https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#callback-tokens https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-tokenUn%2Fu0TIrdZt7Lws1LzA%2FtgoU5X8h9ock%3D&reserved=0 https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens |
2024-10-31 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
2024-10-31 | MC Summary | Legacy Exchange Online tokens are deprecated, and Outlook add-ins using them will break when deactivated. Add-ins must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should update add-ins and consent to new permissions, while developers must revise code and register the updated add-ins in Azure. A timeline for deactivation is provided, with tooling for admins to manage legacy tokens coming in October 2024. | Legacy Exchange Online tokens are deprecated and will be turned off starting February 2025. Add-ins using these tokens must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should identify and update affected add-ins, and developers must register updated add-ins in Azure. Tooling will be provided for admins to manage this transition. |
2024-10-31 | MC Last Updated | 10/02/2024 01:35:12 | 2024-10-30T22:58:00Z |
2024-10-31 | MC Messages | We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off.
Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] The following table lists the key milestones based on which Office app release channel tenant you're using. Note that the GA date for NAA varies based on channel. We'll soon provide tooling via PowerShell for Microsoft 365 administrators to reenable legacy Exchange tokens for their tenant or specific add-ins if those add-ins are not yet migrated to NAA. NAA availability for Outlook on Mac, Android, iOS, new Outlook, and Outlook on the web will align with the Microsoft 365 Current Channel release. Support for Work and School accounts as well as Microsoft account will be available for Classic Outlook on Windows, Outlook on Mac, Android, and iOS at GA. Work and School accounts will be supported on new Outlook and Outlook on the web at GA, with Microsoft account support shortly thereafter. Date ReleaseChannel(s) Legacy tokens status and NAA GA Oct 2024All channelsNew PowerShell options for enabling/disabling legacy tokens for entire tenant or specific AppIDs. Oct 2024Current ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Current Channel. Nov 2024Monthly Enterprise ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Monthly Enterprise Channel. Jan 2025Current and Semi-Annual ChannelsLegacy tokens turned off for all tenants in Current and Semi-Annual Channels. Admins can reenable via PowerShell. NAA will GA in Semi-Annual Channels. Feb 2025Monthly Enterprise ChannelLegacy tokens turned off for all tenants in Monthly Enterprise. Admins can reenable via PowerShell. June 2025Semi-Annual Extended ChannelLegacy tokens off for all tenants in Semi-Annual Extended Channel. NAA will GA in Semi-Annual Extended Channel. June 2025All channelsAdmins can no longer re-enable legacy tokens via PowerShell; contact Microsoft. Oct 2025All channelsLegacy tokens turned off for all tenants, there will be no re-enable option. Note: If a single tenant uses multiple Microsoft 365 apps / Office release channels, Legacy Exchange Online tokens will be turned off based on the "slowest" release channel. [How do I check which Outlook add-ins are impacted?] Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample | Updated Oct 30, 2024: We have updated the content.
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off. Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP. Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change. [Recommended actions:] Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates. Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates. Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions. Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off. [When will Microsoft turn off legacy Exchange Online tokens?] Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. DateLegacy tokens status Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell. Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed. [When is NAA generally available for my channel?] The general availability (GA) date for NAA depends on which channel you are using. DateNAA General Availability (GA) Oct 2024LNAA is GA in Current Channel. Nov 2024NAA will GA in Monthly Enterprise Channel. Jan 25NAA will GA in Semi-Annual Channel. Jun 25NAA will GA in Semi-Annual Extended Channel. [How do I check which Outlook add-ins are impacted?] From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details. Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs: makeEwsRequestAsync getUserIdentityTokenAsync getCallbackTokenAsync We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ. If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site. [How do I keep up with the latest guidance?] We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ. Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title. Additional resources: NAA public preview blog Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins NAA docs to get started NAA FAQ NAA Outlook sample NAA WXP sample |
2024-10-31 | MC Title | Exchange Online token deprecation plan | (Updated) Exchange Online token deprecation plan |
2024-10-31 | MC End Time | 11/30/2025 09:00:00 | 2025-12-29T09:00:00Z |
Last updated 1 week ago