Big Change Coming in Authentication for Outlook Add-ins

Microsoft Retiring Legacy Exchange Authentication Methods from October 2024: Are Tenants Ready?

Outlook integrated add-ins are a popular mechanism to extend client functionality to allow access to external data sources. No one knows exactly how many add-ins have been created or how many are in active use within Microsoft 365 tenants, but what we do know is that some tenants will get an unpleasant shock in October 2024 when Microsoft turns off legacy Exchange user identity tokens and callback tokens for Exchange Online tenants. Microsoft says that these legacy methods “no longer provide sufficient support for organizations’ response to threats against email data.”

Both are authentication methods originating from on-premises environments. Microsoft wants to remove as many legacy authentication methods as it can from Microsoft 365. This is part of Microsoft’s Secure Future Initiative, launched by Brad Smith in November 2023. Since then Microsoft has experienced the Midnight Blizzard attack and upped the ante in terms of withdrawing legacy authentication whenever possible, like the withdrawal of Application Impersonation for Exchange Web Services (EWS) announced in March 2024.

The replacement is a technology called Nested App Authentication (NAA), announced in preview on April 9, 2024 (Microsoft also posted to the Technical Community, but it was easy to miss). According to Microsoft, “NAA provides simpler authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts.”

The Impact on Outlook Add-in Developers

Microsoft’s developer blog makes it seem simple to adopt NAA, listing five steps:

• Register an Entra ID application for use with the add-in. The application will hold consent for the Graph permissions needed by the add-in.
• Update redirect URIs to support trusted brokers.
• Update the add-in’s MSAL.js configuration to allow native bridging.
• Add a fall-back authentication method.
• Test the add-in.

However, the simplicity of Microsoft’s approach understates the work they expect developers of Outlook add-ins will do:

• Review their Outlook integrated add-ins to identify where legacy authentication is used.
• Switch from Exchange user identity tokens and callback tokens to use NAA. The big advantage delivered by NAA is that it’s integrated with Entra ID and supports its advanced set of authentication capabilities.
• Use Graph APIs to access Exchange Online data instead of EWS and the Outlook REST API. Microsoft has already announced that they will block access for EWS to Exchange Online from October 2026.
• Test with multiple versions of Outlook. Microsoft is due to support the classic Outlook client until 2029.
• Contact customers who use the older versions of the add-ins.
• Deliver production-quality code to customers.

Even with help from something like GitHub Copilot, there’s a significant amount of work here. NAA is only just in preview, so a limited amount of practical experience exists of its use with add-ins. Perhaps Microsoft will reveal more information at the Build Conference next week.

Equipped with knowledge or not, the work must be done before Microsoft turns off the legacy authentication methods at a so far indeterminate date sometime in October 2024. The change only affects Exchange Online. Outlook add-ins can continue to use the legacy authentication methods to connect to Exchange on-premises servers. Of course, this creates a further complication for developers who create add-ins used hybrid environments because their code must be able to handle connections to on-premises and cloud servers.

Reviewing Personal Use of Outlook Add-ins

I don’t use many Outlook add-ins myself, and those that I do are produced by Microsoft (Figure 1). I assume that Microsoft will take care of these add-ins in due course.

A quick scan around the internet reveals the presence of many Outlook add-ins created by third parties (here’s an example). I’m not quite as sanguine that all the third party add-ins will have quite the same smooth upgrade. If you’re a tenant administrator, it’s a good idea to ask people what add-ins they use and start to build a list of add-ins in active use.

A Better Future

Everyone wants better security, and we currently suffer from the effects of using technology developed for use in on-premises environments in the more challenging world of cloud systems. Over the long terms, there’s no doubt that technologies like NAA and the Graph are the right way to go will help close holes that attackers could potentially exploit.

The big problem is lack of time. October 2024 will come very quickly and if tenants don’t know that they need to update Outlook add-ins, they’re going to get a hell of a shock when Microsoft disables the legacy authentication methods and add-ins cannot connect to Exchange Online. I’m not sure that every developer reads Microsoft’s developer blog diligently, so it’s entirely possible that some add-ins won’t receive the attention they need before the big turn-off. Allied to the inability to audit the use of Outlook add-ins within a tenant and all the components of a big mess are coming together. I hope that I’m wrong.

---

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.