MC902782: Exchange Online token deprecation plan

Announcement IDMC902782Published Date10-01-2024
ServiceExchangeLast Updated10-31-2024
CategoryPlan for changeExpiration Date12-29-2025
Roadmap IDAction Required by Date
TagsMajor update, Admin impact, Retirement


Summary
                Legacy Exchange Online tokens are deprecated and will be turned off starting February 2025. Add-ins using these tokens must migrate to Nested App Authentication (NAA) and Entra ID tokens. Administrators should identify and update affected add-ins, and developers must register updated add-ins in Azure. Tooling will be provided for admins to manage this transition.


More Information

We're contacting you because your tenant uses legacy Exchange Online tokens that are deprecated and Outlook add-ins that still use them will break when tokens are turned off.

  • Legacy Exchange Online user identity tokens and callback tokens are deprecated and will soon be turned off for all Exchange Online tenants. This is part of Microsoft's Secure Future Initiative to protect orgs in the current threat landscape. If add-ins use legacy tokens to make calls to Exchange, developers need to migrate from Exchange tokens to using Nested App Authentication (NAA) and Entra ID tokens ASAP.
  • Code changes to add-ins using legacy Exchange Online tokens are required to ensure they continue to work. We recommend you update affected add-ins to use NAA, which provides simple authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.

NOTE: This change only applies to Exchange Online; add-ins used in on-premises environments are not impacted by this change.

Recommended actions:

  • Administrators: Identify which add-ins need to be updated and contact the ISVs or developers of those applications to get updates.
  • Developers: Check the add-in code to see if the related API calls are used and then make appropriate updates.
  • Register: The updated add-ins require an application registration in Microsoft Azure. Developers need to create an application registration for each add-in. Admins need to consent to the application registration for each add-in's required permissions.
  • Don't wait: Add-ins are often part of mission critical functions, and the updates will take time to implement. It's best to implement updates well before legacy Exchange Online tokens are turned off.

When will Microsoft turn off legacy Exchange Online tokens?

Microsoft begins turning off legacy Exchange online tokens in February 2025. From now until February 2025, existing and new tenants will not be affected. We'll provide tooling for administrators to reenable Exchange tokens for tenants and add-ins if those add-ins aren't yet migrated to NAA. 

DateLegacy tokens status
Feb 2025Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell.
Jun 2025Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception
Oct 25Legacy tokens turned off for all tenants. Exceptions are no longer allowed.

When is NAA generally available for my channel? 

The general availability (GA) date for NAA depends on which channel you are using. 

DateNAA General Availability (GA)
Oct 2024NAA is GA in Current Channel.
Nov 2024NAA will GA in Monthly Enterprise Channel.
Jan 25NAA will GA in Semi-Annual Channel.
Jun 25NAA will GA in Semi-Annual Extended Channel.

How do I check which Outlook add-ins are impacted?

From October 30th through mid-November 2024, we'll roll out new tooling via PowerShell for Microsoft 365 administrators to turn legacy Exchange tokens on or off in your tenant. If you find you need to reenable legacy Exchange tokens, you can use the PowerShell cmdlets to do so. The tooling will also report if any add-ins are using legacy tokens over the last 28 days. Once the tooling is available will update the Outlook legacy token deprecation FAQ with additional documentation details.

Add-ins may use the legacy Exchange tokens to get resources from Exchange through the EWS or Outlook REST APIs. Sometimes an add-in requires Exchange resources for some use cases and not others, making it difficult to figure out whether the add-in requires an update. We recommend reaching out to add-in developers and owners to ask them if their add-in code references the following APIs:

  • makeEwsRequestAsync
  • getUserIdentityTokenAsync
  • getCallbackTokenAsync

We'll provide tooling via PowerShell for Microsoft 365 admins in October 2024 to turn legacy Exchange tokens on or off in your tenant. This will allow you to test if any add-ins are using Exchange tokens. We'll provide more info when the tooling is ready in the Outlook legacy token deprecation FAQ.

If you rely on an independent software vendor (ISV) for your add-in, we recommend you contact them as soon as possible to confirm they have a plan and a timeline for moving off legacy Exchange tokens. ISV developers should reach out directly to their Microsoft contacts with questions to ensure they're ready for the end of Exchange legacy tokens. If you rely on a developer within your organization, we recommend you ask them to review the Updates on deprecating legacy Exchange Online tokens for Outlook add-ins blog and ask any questions to the Outlook extensibility PM team on the OfficeDev/office-js GitHub issues site.

How do I keep up with the latest guidance?

We'll share additional guidance on the Office Add-ins community call, the M365 developer blog, and the Outlook legacy token deprecation FAQ.

Ask questions about NAA and legacy Exchange Online token deprecation on the OfficeDev/office-js GitHub issues site. Please put "NAA" in the title.

    Previous Post Next Post