{"id":23504,"date":"2024-12-02T11:55:59","date_gmt":"2024-12-02T19:55:59","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=23504"},"modified":"2025-05-06T14:17:34","modified_gmt":"2025-05-06T21:17:34","slug":"naa-and-deprecation-of-legacy-tokens","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/naa-and-deprecation-of-legacy-tokens\/","title":{"rendered":"Update on nested app authentication and deprecation of Exchange Online legacy tokens"},"content":{"rendered":"

Earlier this year,<\/span> the Office Platform Team announced that Exchange Online legacy tokens are deprecated and will be turned off. This is part of <\/span><\/span>Microsoft\u2019s Secure Future Initiative<\/span><\/span><\/a> (SFI) <\/span>to give organizations the tools they need in the current threat landscape. <\/span>We\u2019ll<\/span> begin turning off legacy tokens in <\/span>February 2025<\/span>. <\/span><\/span>Publishers and developers are actively migrating their Outlook add-ins to use Entra ID tokens <\/span>through nested app authentication (NAA) <\/span>and Microsoft Graph instead of legacy tokens.<\/span><\/span>\u00a0<\/span><\/p>\n

As part of supporting <\/span>Outlook add-in migration to NAA, <\/span>we<\/span>\u2019re<\/span> excited to announce that <\/span>NAA is now generally available (GA) <\/span>in<\/span> the Monthly Enterprise Channel<\/span> for Outlook<\/span> add-ins<\/span>. <\/span>We\u2019re<\/span> continuing to roll out NAA <\/span>support according to the following timeline.<\/span><\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n
Date<\/span><\/b>\u00a0<\/span><\/td>\nNAA General Availability (GA)<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
Oct 2024<\/span>\u00a0<\/span><\/td>\nComplete – NAA is GA in Current Channel.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Nov 2024<\/span>\u00a0<\/span><\/td>\nComplete – NAA is GA in Monthly Enterprise Channel.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Jan 2025<\/span>\u00a0<\/span><\/td>\nNAA will GA in Semi-Annual Channel.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Jun 2025<\/span>\u00a0<\/span><\/td>\nNAA will GA in Semi-Annual Extended Channel.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

We\u2019re also announcing the availability of new Exchange PowerShell parameters to control the issuance of legacy tokens on a Microsoft 365 tenant.<\/span>\u00a0<\/span><\/p>\n

Turn <\/span>Exchange Online <\/span>legacy tokens on or off<\/span><\/span>\u00a0<\/span><\/h2>\n

As a developer you\u2019ll want to test updates you make to your Outlook add-in to move off legacy tokens. You can create a test tenant and turn off legacy tokens in the test tenant. Then sideload your add-in on the test tenant and confirm that it\u2019s working correctly when legacy tokens are unavailable.<\/span>\u00a0<\/span><\/p>\n

You can use the <\/span>Set-AuthenticationPolicy<\/span><\/b> command to control issuance of legacy Exchange Online tokens. For more information about using this command, see <\/span>Turn legacy Exchange Online tokens on or off<\/a>.<\/p>\n

Use the <\/span>Set-AuthenticationPolicy<\/span><\/b> commands to turn off legacy tokens when you\u2019re using a test tenant to test your Outlook add-ins. <\/span>Don’t use the command to turn off legacy tokens on a production tenant. The command can affect essential Outlook services and may cause issues for users. It will be updated soon so that it also works on production tenants.<\/span><\/b>\u00a0<\/span><\/p>\n

\"Image<\/a><\/p>\n

Identify<\/span> add-ins <\/span>that are <\/span>using <\/span>Exchange Online <\/span>legacy <\/span>tokens<\/span><\/h2>\n

We published a list of all Outlook add-ins published to the Microsoft store that use legacy tokens. For more information on how to use the list and build a report of Outlook add-ins that are potentially using legacy tokens, see Find Outlook add-ins that use legacy Exchange Online tokens<\/a>.<\/span><\/p>\n

If you have any deployed add-ins that are listed in the add-ins-using-exchange-tokens spreadsheet<\/a>, we recommend you contact the publisher as soon as possible to confirm they have a plan and a timeline for moving off legacy tokens. Otherwise, when legacy tokens are eventually turned off starting February 2025, those add-ins will break.<\/span><\/p>\n

Add-ins that <\/span>are<\/span> already <\/span>updated<\/span><\/span>\u00a0<\/span><\/h2>\n

Some publishers have already updated their add-ins <\/span>and <\/span>no longer use legacy tokens. To see a list of publishers who have updated their add-ins, see the section Is there a list of publishers with updated add-ins?<\/a> on our legacy tokens deprecation FAQ. <\/span>As more publishers update their add-ins<\/span>, <\/span>we\u2019ll<\/span> add t<\/span>hem to the<\/span> list.<\/span><\/span><\/p>\n

See also<\/h3>\n

Nested app authentication and Outlook legacy tokens deprecation FAQ<\/a><\/p>\n

\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier this year, the Office Platform Team announced that Exchange Online legacy tokens are deprecated and will be turned off. This is part of Microsoft\u2019s Secure Future Initiative (SFI) to give organizations the tools they need in the current threat landscape. We\u2019ll begin turning off legacy tokens in February 2025. Publishers and developers are actively migrating their Outlook add-ins to use Entra ID tokens through nested app authentication (NAA) and Microsoft Graph instead of legacy tokens.\u00a0<\/p>\n","protected":false},"author":90983,"featured_media":23532,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,11],"tags":[348,385,373,12],"class_list":["post-23504","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365-developer","category-office-add-ins","tag-exchange-online","tag-legacy-tokens","tag-naa","tag-outlook"],"acf":[],"blog_post_summary":"

Earlier this year, the Office Platform Team announced that Exchange Online legacy tokens are deprecated and will be turned off. This is part of Microsoft\u2019s Secure Future Initiative (SFI) to give organizations the tools they need in the current threat landscape. We\u2019ll begin turning off legacy tokens in February 2025. Publishers and developers are actively migrating their Outlook add-ins to use Entra ID tokens through nested app authentication (NAA) and Microsoft Graph instead of legacy tokens.\u00a0<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/23504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/90983"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=23504"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/23504\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/23532"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=23504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=23504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=23504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}