Code Replacement Deadline for Exchange Legacy Tokens Approaching

In May 2024, I wrote about the upcoming change for the authentication method used by Outlook add-ins to embrace a technology called Nested App Authentication (NAA), which is used by ISVs and other developers to obtain access tokens to interact with Exchange through the Outlook REST API or Exchange Web Services (EWS).

Microsoft originally wanted to disable legacy Exchange tokens in October 2024. As tends to be the nature of these projects, customers needed some extra time. However, we’re now on the glidepath to complete disablement for legacy Exchange tokens across Microsoft 365 and Microsoft plans to turn off Exchange legacy tokens for all tenants in February 2025. The exact timing for when a client ceases to support legacy Exchange tokens depends on the Office channel in use (see the timeline for the different Office channels).

What Happens in February 2025

After February 2025, tenants can reenable Exchange legacy tenants using PowerShell. This action grants access until June 2025. At that point, Microsoft will disable Exchange legacy tokens again and tenants will only be able to reenable tokens through an appeal process. If granted, the tenants can use legacy Exchange tokens until Microsoft finally removes the functionality from Microsoft 365 in October 2025. That seems like a long time away, but given the effort required to find and deploy replacement add-ins to Outlook classic clients, tenants need to be in control of the process before the first phase of token disablement happens.

Although Microsoft is going through its normal process of publishing documentation, issuing message center notifications, and so on, one wonders if the message about removing support for Exchange legacy tokens is getting through. This is important because this change will eventually cause Outlook or OWA add-ins to stop working for many Outlook users if action is not taken.

Knowing What Add-Ins Are in Use

Microsoft has collated information about the Outlook add-ins known to be in use inside Microsoft 365. That information is available in a downloadable Excel worksheet (Figure 1). Additional reporting is expected in early 2025.

The first thing to do is to download and analyze the worksheet to identify what add-ins are in use within the tenant and who developed the add-in. At this stage, you must run several cmdlets (see instructions here) to discover the add-ins deployed in your tenant.

Often the author will be an ISV like SAP who understands the problem and has already created a replacement add-in based on NAA, the new way for add-ins to authenticate and receive access tokens from Entra ID. Some other add-ins might be authored by in-house developers, in which case the responsibility for updating the add-in code lies with the tenant. Microsoft’s documentation highlights some API calls that developers need to pay special attention to because they indicate the use of legacy Exchange tokens.

Some add-ins might have been developed by a company that’s now out of business. In these cases, the add-in will cease working once Microsoft disables legacy Exchange tokens and there’s no path forward except to find (or develop) a replacement add-in.

It Would Have Been Better to Start Earlier

Change is never easy, especially when it involves code that’s installed and run in a client like Outlook classic that’s been around for a very long time. There’s no easy workaround either when the problem involves a fundamental change in authentication and access that must be addressed in a code update.

Given the timeline, the important thing is to start the assessment process as quickly as possible. Identifying the set of add-ins in active use is critical, as is knowing where the necessary code updates will come from. After that it’s a mere matter of deploying the updates to individual workstations, which is always the easiest part of projects.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.