check before: 2025-10-01
Product:
Entra, Exchange, Microsoft 365 Apps, Outlook
Platform:
Android, Developer, iOS, Mac, Online, Web, World tenant
Status:
Change type:
Admin impact, Retirement
Links:
Details:
Summary:
Legacy Exchange Online tokens are deprecated, and Outlook add-ins using them will break when deactivated. Add-ins must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should update add-ins and consent to new permissions, while developers must revise code and register the updated add-ins in Azure. A timeline for deactivation is provided, with tooling for admins to manage legacy tokens coming in October 2024.
Details:
We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off.
Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP.
Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.
NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change.
[Recommended actions:]
Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates.
Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates.
Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions.
Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off.
[When will Microsoft turn off legacy Exchange Online tokens?]
The following table lists the key milestones based on which Office app release channel tenant you're using. Note that the GA date for NAA varies based on channel. We'll soon provide tooling via PowerShell for Microsoft 365 administrators to reenable legacy Exchange tokens for their tenant or specific add-ins if those add-ins are not yet migrated to NAA.
NAA availability for Outlook on Mac, Android, iOS, new Outlook, and Outlook on the web will align with the Microsoft 365 Current Channel release. Support for Work and School accounts as well as Microsoft account will be available for Classic Outlook on Windows, Outlook on Mac, Android, and iOS at GA. Work and School accounts will be supported on new Outlook and Outlook on the web at GA, with Microsoft account support shortly thereafter.
Date ReleaseChannel(s) Legacy tokens status and NAA GA
Oct 2024All channelsNew PowerShell options for enabling/disabling legacy tokens for entire tenant or specific AppIDs.
Oct 2024Current ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Current Channel.
Nov 2024Monthly Enterprise ChannelLegacy tokens turned off for tenants not using them; NAA will GA in Monthly Enterprise Channel.
Jan 2025Current and Semi-Annual ChannelsLegacy tokens turned off for all tenants in Current and Semi-Annual Channels. Admins can reenable via PowerShell. NAA will GA in Semi-Annual Channels.
Feb 2025Monthly Enterprise ChannelLegacy tokens turned off for all tenants in Monthly Enterprise. Admins can reenable via PowerShell.
June 2025Semi-Annual Extended ChannelLegacy tokens off for all tenants in Semi-Annual Extended Channel. NAA will GA in Semi-Annual Extended Channel.
June 2025All channelsAdmins can no longer re-enable legacy tokens via PowerShell; contact Microsoft.
Oct 2025All channelsLegacy tokens turned off for all tenants, there will be no re-enable option.
Note: If a single tenant uses multiple Microsoft 365 apps / Office release channels, Legacy Exchange Online tokens will be turned off based on the "slowest" release channel.
[How do I check which Outlook add-ins are impacted?]
Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs:
makeEwsRequestAsync
getUserIdentityTokenAsync
getCallbackTokenAsync
We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ.
If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site.
[How do I keep up with the latest guidance?]
We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ.
Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title.
Additional resources:
NAA public preview blog
Microsoft 365 developer blog: Updates on deprecating legacy Exchange Online tokens for Outlook add-ins
NAA docs to get started
NAA FAQ
NAA Outlook sample
NAA WXP sample
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-10-02
updated:
2024-10-02
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Outlook Add-ins Failure
Outlook add-ins using legacy Exchange Online tokens will break, leading to disruption in user workflows and productivity.
- roles: End Users, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/updates-on-deprecating-legacy-exchange-online-tokens-for-outlook-add-ins/?commentid=1131
Increased Support Requests
Users may experience issues with add-ins, resulting in a surge of support requests to IT, impacting response times and resource allocation.
- roles: Help Desk Staff, IT Administrators
- references: https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/
Compliance Risks
Failure to update add-ins may lead to non-compliance with security protocols, exposing the organization to potential security threats.
- roles: Compliance Officers, IT Security Staff
- references: https://learn.microsoft.com/office/dev/add-ins/outlook/authentication#exchange-user-identity-token
Development Backlog
Developers will face increased workload to update and register add-ins, potentially delaying other projects and initiatives.
- roles: Developers, Project Managers
- references: https://learn.microsoft.com/javascript/api/outlook/office.mailbox?view=outlook-js-preview#outlook-office-mailbox-getuseridentitytokenasync-member(1)
User Experience Degradation
Users relying on affected add-ins will experience degraded functionality, leading to frustration and decreased satisfaction with IT services.
- roles: End Users, IT Administrators
- references: https://aka.ms/NAAFAQ
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft is making some important changes to how Outlook add-ins authenticate with Exchange Online. Think of this like upgrading the locks on your office doors. The old keys (legacy Exchange Online tokens) are being phased out, and new, more secure keys (Nested App Authentication and Entra ID tokens) are being introduced.
If your Outlook add-ins still use the old keys, they won't work once these changes take effect. It's similar to how you wouldn't be able to unlock your office if you only had the old keys after the locks were changed. To avoid any disruptions, developers need to update the add-ins to use the new keys. This involves some code changes and registering the updated add-ins in Microsoft Azure.
Administrators should identify which add-ins need updating and coordinate with developers or software vendors to ensure these updates are made. This is like making sure everyone in the office gets their new keys before the old locks are changed.
Microsoft has provided a timeline for when these changes will happen, starting in October 2024 and continuing through October 2025. There will also be tools available to help manage this transition, such as a PowerShell option to re-enable the old keys temporarily if needed.
In summary, it's crucial to start planning and implementing these updates now to ensure a smooth transition and avoid any interruptions in your Outlook add-ins' functionality.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.