Introducing Nested App Authentication: An improved authentication protocol for your Teams app

Nested App Authentication (NAA) is a new authentication protocol for Personal Tab Teams apps that run in Teams, Outlook, and Microsoft 365. NAA simplifies the authentication process to facilitate single sign-on (SSO) across these host environments and provides several advantages over the existing on-behalf-of (OBO) authentication model, enabling the development of dynamic, user-focused applications.

Today, to add authentication to your Personal Tab app you must leverage authentication APIs from Teams JS to do on-behalf-of (OBO) token fetching. This approach involves multiple network calls and requires registering a backend for your app. We’ve heard developer feedback about the costs and complexities of this protocol and today we are excited to offer an improved experience. Nested App Authentication addresses these challenges and improves the auth experience for developers by:

Leveraging the common Microsoft Authentication Library (MSAL.js) to align on a single authentication protocol for all contexts your app runs in – whether that’s as a standalone web page or embedded in native or web host application. NAA is also supported for Office Add-Ins to provide further consistency across M365.
Reducing developer overhead by eliminating the need to set up a middle-tier service by allowing you to call services with an access token from your own client code, as well removing the need to preauthorize your hosts.
Enables incremental and dynamic consent for scope permissions – allowing you to request tokens for any AAD-protected resource the user has consented to, without having to specify the resource in the app manifest or use the OBO flow.
Removes the reliance on third-party cookies for authenticating users in supported web-hosts, so when cookies are blocked the user can still authenticate without any UX interruptions to their workflow.

Nested App Authentication is available in public preview and we encourage you to try it now. For details on how to access the feature in preview state learn more here.

Adoption

To adopt NAA in your app, follow these steps:

Register your app with Entra ID (if you haven’t already).
Update your redirect URIs to support trusted brokers.
Add a fallback authentication method.
Test your app across environments*.

Read the detailed documentation here or get started with a sample app.

*Please note that while it’s still in public preview we recommend checking the support status using the Teams JS SDK and providing a fallback experience for any Microsoft host applications your app runs in that aren’t yet enabled.

We are excited to announce Nested App Authentication as a new way to secure your extended Teams apps and provide a better user experience. We look forward to you trying it out and giving us your feedback.