August 14th, 2024

Updates on deprecating legacy Exchange Online tokens for Outlook add-ins

We want to share an update on the timeline and plans for deprecating legacy Exchange Online user identity tokens and callback tokens. If your Outlook add-in uses legacy tokens to make calls to Exchange, then this information applies to you.

On April 9, 2024 the Office Platform Team made two major announcements:

  1. We launched the public preview of Nested App Authentication (NAA), which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.
  2. We announced that legacy Exchange user identity tokens and callback tokens will be turned off by default for all Exchange Online tenants as part of Microsoft’s Secure Future Initiative to protect organizations in the current threat landscape. If your add-in uses legacy tokens to make calls to Exchange, you need to migrate from Exchange tokens to using NAA and Entra ID tokens as soon as possible.

Timeline for turning off legacy Exchange tokens

In April, we announced that Exchange tokens will be turned off by default for all tenants in October 2024. This has been updated and you should have more time to move your Outlook add-ins from Exchange tokens to NAA. The following tables list the key milestones based on which channel customers are using. Note that the general availability (GA) date for NAA will vary based on channel. We’ll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins are not yet migrated to NAA.

Current Channel

Date Action
October 2024 NAA is GA for Current Channel.

Exchange online tokens are turned off by default for new tenants and existing tenants known not to be using Exchange tokens.

The administrator can choose to reenable Exchange tokens on tenants or add-ins as needed.

January 2025 Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

Monthly Enterprise Channel

Date Action
November 2024 NAA is GA for Monthly Enterprise Channel.

Exchange online tokens are turned off by default for new tenants and existing tenants known not to be using Exchange tokens.

The administrator can choose to reenable Exchange tokens on tenants or add-ins as needed.

February 2025 Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

 

Semi-annual Channel

Date Action
January 2025 NAA is GA for Semi-annual Channel.

Exchange online tokens are turned off by default for all tenants.

The administrator can choose to reenable Exchange tokens on tenants and add-ins as needed.

June 2025 The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.
October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

 

Semi-annual Channel Extended

Date Action
June 2025 NAA is GA for Semi-annual Channel Extended.

The ability for the administrator to reenable Exchange online tokens is removed. If a tenant or add-in needs Exchange tokens reenabled, the administrator must contact Microsoft.

October 2025 Exchange online tokens are turned off for all tenants and add-ins, including any that were reenabled.

Next steps for developers

Get started migrating your add-in from Exchange tokens to NAA. Refer to the original blog post: New Nested App Authentication for Office Add-ins: Legacy Exchange tokens off by default in October 2024 (microsoft.com). It includes the following information:

  • How to determine if your add-in is using Exchange online legacy tokens.
  • How to adopt NAA in your add-in.

More resources

For questions, issues, or bugs, find us on GitHub and put “NAA” in your issue title: Issues · OfficeDev/office-js (github.com)

We’ll also be sharing updates on our monthly community call.

Articles and samples

Author

3 comments

Leave a comment

Newest
Newest
Popular
Oldest
  • Stuart Chapman

    I have a few questions:

    1. How can there be different timelines for Exchange Online tokens being turned off at the tenant level based on the Outlook channel (Current, SAEC or MEC). The blog states tokens will be turned off in Jan 2025 for Current channel but Feb 2025 for Monthly Enterprise Channel. Since it’s a tenant level change, I don’t understand how the Outlook channel can come into play. We have multiple channels in use within our org (mostly MEC and some Current Channel), so how do we know which date applies to us?
    2. Does this change impact Outlook add-ins on non-Windows platforms? E.g. Outlook for Mac (legacy), Outlook for Mac (new UI) and Outlook Mobile (iOS and Android). The references to SAEC/MEC/Current channels (which only exist on Windows versions of Outlook) makes this confusing and unclear.
    3. Does change impact add-ins in Outlook on the Web (OWA)?
    4. Does this change impact legacy COM/VSTO add-ins or just “Modern add-ins” based on the Microsoft Office add-in JS frameworks?
    5. Since this is a major change, why hasn’t it been posted as a Message Centre post in the M365 Admin centre?

    • David ChesnutMicrosoft employee Author

      Hi Stuart,

      Thanks for these questions:
      1. If a tenant is set up using mixed channels we use the path least likely to break anyone. For example, if your tenant has clients using both Monthly Enterprise Channel and Current Channel, the Monthly Enterprise Channel schedule is followed. Once turned off the Exchange tokens can’t be reenabled unless the admin chooses to reenable them.
      2. Yes. This applies to all platforms.
      3. Yes. Add-ins in Outlook on the web are impacted.
      4. Yes. COM/VSTO add-ins will not be able to use legacy Exchange tokens once they are turned off online.
      5. This blog post is for developer awareness. We’ll be posting to the Microsoft 365 admin center soon with additional information for admins.

      Hope this helps!

Feedback