August 14th, 2024

Updates on deprecating legacy Exchange Online tokens for Outlook add-ins

We want to share an update on the timeline and plans for deprecating legacy Exchange Online user identity tokens and callback tokens. If your Outlook add-in uses legacy tokens to make calls to Exchange, then this information applies to you.

On April 9, 2024 the Office Platform Team made two major announcements:

  1. We launched the public preview of Nested App Authentication (NAA), which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.
  2. We announced that legacy Exchange user identity tokens and callback tokens will be turned off by default for all Exchange Online tenants as part of Microsoft’s Secure Future Initiative to protect organizations in the current threat landscape. If your add-in uses legacy tokens to make calls to Exchange, you need to migrate from Exchange tokens to using NAA and Entra ID tokens as soon as possible.

Timeline for turning off legacy Exchange tokens

In April, we announced that Exchange tokens will be turned off by default for all tenants in October 2024. This has been updated and you should have more time to move your Outlook add-ins from Exchange tokens to NAA. The following tables list the key milestones based on which channel customers are using. Note that the general availability (GA) date for NAA will vary based on channel. We’ll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins are not yet migrated to NAA.

Current Channel

Date Action
October 2024 NAA is GA for Current Channel.

Exchange online tokens are turned off by default for new tenants and existing tenants known not to be using Exchange tokens.

The administrator can choose to reenable Exchange tokens on tenants or add-ins as needed.

January 2025 Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

Monthly Enterprise Channel

Date Action
November 2024 NAA is GA for Monthly Enterprise Channel.

Exchange online tokens are turned off by default for new tenants and existing tenants known not to be using Exchange tokens.

The administrator can choose to reenable Exchange tokens on tenants or add-ins as needed.

February 2025 Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

 

Semi-annual Channel

Date Action
January 2025 NAA is GA for Semi-annual Channel.

Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

 

Semi-annual Channel Extended

Date Action
June 2025 NAA is GA for Semi-annual Channel Extended.

The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.

October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

Next steps for developers

Get started migrating your add-in from Exchange tokens to NAA. Refer to the original blog post: New Nested App Authentication for Office Add-ins: Legacy Exchange tokens off by default in October 2024 (microsoft.com). It includes the following information:

  • How to determine if your add-in is using Exchange online legacy tokens.
  • How to adopt NAA in your add-in.

More resources

For questions, issues, or bugs, find us on GitHub and put “NAA” in your issue title: Issues · OfficeDev/office-js (github.com)

We’ll also be sharing updates on our monthly community call.

Articles and samples

7 comments

Discussion is closed. Login to edit/delete existing comments.

  • Chris Owens

    Does this change impact my tenant If I already have conditional access policies blocking access to Exchange Online via legacy protocols ?

  • Randy Greig

    I keep seeing the mention that we can temporarily turn Legacy Tokens back on, but I have been unable to find documentation on how to do that?

    We seem to have missed the April notice about it being turned off 🙁

  • Dan BagleyMicrosoft employee

    All programmers and admins READ this article and understand the possible impact.

    Note: All programmers and Admins need to be aware that any modern Addin for Outlook may need to be update before the deactivation deadline if they are not then the adding will stop working and need a programmatic update or will need the legacy auth turned back on IF it can be by an administrator. Its possible that most modern add-ins in...

    Read more
  • Manuel

    Given the short time to adapt NAA, I am worried about the number of unanswered and/or unresolved questions and issues about NAA in the official OfficeJS GitHub repository

  • Stuart Chapman

    I have a few questions:

    1. How can there be different timelines for Exchange Online tokens being turned off at the tenant level based on the Outlook channel (Current, SAEC or MEC). The blog states tokens will be turned off in Jan 2025 for Current channel but Feb 2025 for Monthly Enterprise Channel. Since it’s a tenant level change, I don’t understand how the Outlook channel can come into play. We have multiple channels in use...

    Read more
    • David ChesnutMicrosoft employee Author

      Hi Stuart,

      Thanks for these questions:
      1. If a tenant is set up using mixed channels we use the path least likely to break anyone. For example, if your tenant has clients using both Monthly Enterprise Channel and Current Channel, the Monthly Enterprise Channel schedule is followed. Once turned off the Exchange tokens can't be reenabled unless the admin chooses to reenable them.
      2. Yes. This applies to all platforms.
      3. Yes. Add-ins in Outlook on...

      Read more
      • Stuart Chapman

        Thanks, @DavidChesnut for your response. Sorry for my late reply, I wasn’t notified that you had replied to my comment.

        I have a few follow-up questions which I hope you can assist with:

        1. We have a mix of Monthly Enterprise Channel (MEC) and Semi-Annual Enterprise Channel (SAEC) releases in use. 99% of users are on MEC, and we have about 150 devices still on SAEC. Will that be sufficient for Microsoft to put us on the...

        Read more