Microsoft introduces the new and mandatory Nested App Authentication for Office Add-ins

The adoption must be done before October 2024.

3 min. read

Published onApril 12, 2024

published onApril 12, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

The new Nested App Authentication for Office Add-ins is now in public preview, and Microsoft plans to make it the mandatory authentication method for Outlook add-ins by the end of the year, more specifically in October 2024.

Ina blog post, the Redmond-based tech giant says the NAA (short for Nested App Authentication) allows users to authenticate faster and safer, ultimately becoming the standard and the only way to do so.

NAA provides simpler authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NAA is the best authentication option for affected add-ins; we recommend beginning work on proof of concepts using the NAA preview and adopting NAA soon after general availability.

The company will be turned off by default all legacy Exchange user identity and callback tokens for all Exchange Online tenants in October 2024 and advises organizations to take immediate action to prepare their add-ins for it.

We’re also announcing thatlegacy Exchangeuser identity tokensandcallback tokenswill be turned off by default for all Exchange Online tenants in October 2024.This is part ofMicrosoft’s Secure Future Initiativeto give organizations the tools they need in the current threat landscape. Add-in developers who access Exchange data through EWS or Outlook REST must take immediate action to ensure their add-ins are ready before legacy Exchange tokens are off by default in October 2024.

The Redmond-based tech giant is making all these changes due to the constant threat from bad actors globally. Ever since Microsoft and OpenAI discovered that threat actors areusing AIto target their victims, the two companies have been working relentlessly to come up with solutions: one of those solutions isCopilot for Security.

Another one is the new Nested App Authentication method:

NAA simplifies Office add-in specific authentication with APIs that work for add-ins nested within Office hosts, making it simple to get consent, accept the latest and safest authentication factors, and allow customer admins to secure their environment with Entra ID policies.

The company wants organizations to adopt NAA as soon as possible, but those organizations who won’t, can continue to use the legacy tokens, however, they will need to opt for the continued legacy token issuance.

Otherwise, adoption is mandatory.

Exchange Online blocks legacy Exchangeuser identity tokensandcallback tokensin all tenants by default. Add-ins that haven’t adopted NAA and rely on legacy Exchange tokens will be unable to call EWS and Outlook REST unless admins opt into continued legacy token issuance.

To initiate the adoption process, the Redmond-based tech giant has laid out a plan organizations and developers can follow, which can be foundhere.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft introduces the new and mandatory Nested App Authentication for Office Add-ins#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft introduces the new and mandatory Nested App Authentication for Office Add-ins