Microsoft introduces the new and mandatory Nested App Authentication for Office Add-ins

The adoption must be done before October 2024.

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Outlook add-ins

The new Nested App Authentication for Office Add-ins is now in public preview, and Microsoft plans to make it the mandatory authentication method for Outlook add-ins by the end of the year, more specifically in October 2024.

In a blog post, the Redmond-based tech giant says the NAA (short for Nested App Authentication) allows users to authenticate faster and safer, ultimately becoming the standard and the only way to do so.

NAA provides simpler authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. NAA is the best authentication option for affected add-ins; we recommend beginning work on proof of concepts using the NAA preview and adopting NAA soon after general availability.


The company will be turned off by default all legacy Exchange user identity and callback tokens for all Exchange Online tenants in October 2024 and advises organizations to take immediate action to prepare their add-ins for it.

We’re also announcing that legacy Exchange user identity tokens and callback tokens will be turned off by default for all Exchange Online tenants in October 2024. This is part of Microsoft’s Secure Future Initiative to give organizations the tools they need in the current threat landscape. Add-in developers who access Exchange data through EWS or Outlook REST must take immediate action to ensure their add-ins are ready before legacy Exchange tokens are off by default in October 2024.


The Redmond-based tech giant is making all these changes due to the constant threat from bad actors globally. Ever since Microsoft and OpenAI discovered that threat actors are using AI to target their victims, the two companies have been working relentlessly to come up with solutions: one of those solutions is Copilot for Security.

Another one is the new Nested App Authentication method:

NAA simplifies Office add-in specific authentication with APIs that work for add-ins nested within Office hosts, making it simple to get consent, accept the latest and safest authentication factors, and allow customer admins to secure their environment with Entra ID policies.


The company wants organizations to adopt NAA as soon as possible, but those organizations who won’t, can continue to use the legacy tokens, however, they will need to opt for the continued legacy token issuance.

Otherwise, adoption is mandatory.

Exchange Online blocks legacy Exchange user identity tokens and callback tokens in all tenants by default. Add-ins that haven’t adopted NAA and rely on legacy Exchange tokens will be unable to call EWS and Outlook REST unless admins opt into continued legacy token issuance.


To initiate the adoption process, the Redmond-based tech giant has laid out a plan organizations and developers can follow, which can be found here.

More about the topics: microsoft, Outlook