Exchange Online token deprecation plan
If your tenant uses legacy Exchange Online tokens, they will be deprecated and Outlook add-ins that still use them will break when tokens are turned off.
- Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft’s Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP.
- Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.
NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change.
Recommended actions:
- Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates.
- Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates.
- Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in’s required permissions.
- Don’t wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It’s best to implement updates well before legacy Exchange Online tokens are turned off.
When will Microsoft turn off legacy Exchange Online tokens?
The following table lists the key milestones based on which Office app release channel tenant you’re using. Note that the GA date for NAA varies based on channel. Microsoft will soon provide tooling via PowerShell for Microsoft 365 administrators to reenable legacy Exchange tokens for their tenant or specific add-ins if those add-ins are not yet migrated to NAA.
NAA availability for Outlook on Mac, Android, iOS, new Outlook, and Outlook on the web will align with the Microsoft 365 Current Channel release. Support for Work and School accounts as well as Microsoft account will be available for Classic Outlook on Windows, Outlook on Mac, Android, and iOS at GA. Work and School accounts will be supported on new Outlook and Outlook on the web at GA, with Microsoft account support shortly thereafter.
Date Release | Channel(s) | Legacy tokens status and NAA GA |
Oct 2024 | All channels | New PowerShell options for enabling/disabling legacy tokens for entire tenant or specific AppIDs. |
Oct 2024 | Current Channel | Legacy tokens turned off for tenants not using them; NAA will GA in Current Channel. |
Nov 2024 | Monthly Enterprise Channel | Legacy tokens turned off for tenants not using them; NAA will GA in Monthly Enterprise Channel. |
Jan 2025 | Current and Semi-Annual Channels | Legacy tokens turned off for all tenants in Current and Semi-Annual Channels. Admins can reenable via PowerShell. NAA will GA in Semi-Annual Channels. |
Feb 2025 | Monthly Enterprise Channel | Legacy tokens turned off for all tenants in Monthly Enterprise. Admins can reenable via PowerShell. |
June 2025 | Semi-Annual Extended Channel | Legacy tokens off for all tenants in Semi-Annual Extended Channel. NAA will GA in Semi-Annual Extended Channel. |
June 2025 | All channels | Admins can no longer re-enable legacy tokens via PowerShell; contact Microsoft. |
Oct 2025 | All channels | Legacy tokens turned off for all tenants, there will be no re-enable option. |
Note: If a single tenant uses multiple Microsoft 365 apps / Office release channels, Legacy Exchange Online tokens will be turned off based on the “slowest” release channel.
How do I check which Outlook add-ins are impacted?
Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs:
Microsoft will provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. Microsoft will provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ.
If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they’re ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site.
How do I keep up with the latest guidance?
Microsoft will share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ.
Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put “NAA” in the title.
Additional resources:
No Comments