Earlier this year, Microsoft announced the depreciation of Exchange Legacy tokens as part of Microsoft's Secure Future Initiative (SFI), aiming to help organizations tackle today's threat landscape.
The Exchange Legacy tokens is an older authentication mechanism used by certain applications and Outlook Add-ins. Microsoft had introduced more secured authentication methods such as the nested app authentication (NAA) and Microsoft Graph, replacing the Exchange legacy tokens. Many App Providers and Add-in Publishers have already upgraded the apps and add-ins to utilize the nested app authentication in their latest release supporting the latest security feature.
Starting June 2025, Microsoft will turn off the Exchange Legacy Tokens in all the Microsoft 365 tenants, which means any legacy apps or add-ins that are still connecting through the legacy tokens for authentication may no longer work. Administrators are required to contact the corresponding App Publishers and follow the provided instructions to upgrade the apps and add-ins supporting the NAA to avoid any interruption. If the Application is not yet ready to support the NAA or if the Organization requires more time to update the apps and add-ins, Administrators are required to raise an exception with Microsoft.
How can Administrators find Outlook add-ins that use legacy Exchange Online tokens?Administrators can utilize the following powershell cmdlet to check the usage of Exchange Legacy Tokens in their tenant.
Get-AuthenticationPolicy -AllowExchangeLegacyTokens
Can Administrators request for exceptions from Microsoft if the add-ins cannot support NAA immediately?
Yes, Administrators can request exceptions through the Office365 tenant admin portal or by logging into the direct link https://aka.ms/LegacyTokensByOctober to get the exception till October 2025.
When is NAA generally available for my channel?
The general availability (GA) date for NAA is as follows
|
Date |
NAA General Availability (GA) |
| Oct 2024 | NAA is GA in Current Channel. |
| Nov 2024 | NAA is GA in Monthly Enterprise Channel. |
| Jan 2025 | NAA is GA in Semi-Annual Channel build 16.0.17928.20392. |
| Jun 2025 | NAA will GA in Semi-Annual Extended Channel. |
Conclusion
Helient strongly recommends customers be aware of the deprecation of the Exchange Legacy Tokens and take necessary actions to upgrade the Add-ins to support the nested app authentication. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.