Earlier this year, the Office Platform Team announced that Exchange Online legacy tokens are deprecated and will be turned off. This is part of Microsoft’s Secure Future Initiative (SFI) to give organizations the tools they need in the current threat landscape. We’ll begin turning off legacy tokens in February 2025. Publishers and developers are actively migrating their Outlook add-ins to use Entra ID tokens through nested app authentication (NAA) and Microsoft Graph instead of legacy tokens.Â
As part of supporting Outlook add-in migration to NAA, we’re excited to announce that NAA is now generally available (GA) in the Monthly Enterprise Channel for Outlook add-ins. We’re continuing to roll out NAA support according to the following timeline.Â
| Date | NAA General Availability (GA) |
| Oct 2024 | Complete – NAA is GA in Current Channel. |
| Nov 2024 | Complete – NAA is GA in Monthly Enterprise Channel. |
| Jan 2025 | NAA will GA in Semi-Annual Channel. |
| Jun 2025 | NAA will GA in Semi-Annual Extended Channel. |
We’re also announcing the availability of new Exchange PowerShell parameters to control the issuance of legacy tokens on a Microsoft 365 tenant.Â
Turn Exchange Online legacy tokens on or offÂ
As a developer you’ll want to test updates you make to your Outlook add-in to move off legacy tokens. You can create a test tenant and turn off legacy tokens in the test tenant. Then sideload your add-in on the test tenant and confirm that it’s working correctly when legacy tokens are unavailable.Â
You can use the Set-AuthenticationPolicy command to control issuance of legacy Exchange Online tokens. For more information about using this command, see Turn legacy Exchange Online tokens on or off.
Use the Set-AuthenticationPolicy commands to turn off legacy tokens when you’re using a test tenant to test your Outlook add-ins. Don’t use the command to turn off legacy tokens on a production tenant. The command can affect essential Outlook services and may cause issues for users. It will be updated soon so that it also works on production tenants.Â
Identify add-ins that are using Exchange Online legacy tokens
For Microsoft 365 administrators, we planned to provide a reporting feature that would allow you to get a list of all add-ins that use legacy tokens in the last 28 days. We’re still working on this feature and will release it as soon as we can. However, as of now, it is not available, and we do apologize for any inconvenience. The good news is that you’re not blocked. We published a list of all Outlook add-ins published to the Microsoft store that use legacy tokens as of October 2024. For more information on how to use the list and build a report of Outlook add-ins that are potentially using legacy tokens, see Find Outlook add-ins that use legacy Exchange Online tokens.
If you have any deployed add-ins that are listed in the add-ins-using-exchange-tokens spreadsheet, we recommend you contact the publisher as soon as possible to confirm they have a plan and a timeline for moving off legacy tokens. Otherwise, when legacy tokens are eventually turned off starting February 2025, those add-ins will break.
Add-ins that are already updatedÂ
Some publishers have already updated their add-ins and no longer use legacy tokens. To see a list of publishers who have updated their add-ins, see the section Is there a list of publishers with updated add-ins? on our legacy tokens deprecation FAQ. As more publishers update their add-ins, we’ll add them to the list.
See also
Nested app authentication and Outlook legacy tokens deprecation FAQ
Â
0 comments
Be the first to start the discussion.