Overview
As part of its Secure Future Initiative, Microsoft is deprecating legacy features in 2025 that will impact the Salesforce Outlook integration. If your firm uses the Salesforce Outlook integration, you must work with your Microsoft Exchange administrator or IT department to prepare for these changes. While Practifi does not manage this integration, this article outlines recommended actions and includes links to Microsoft and Salesforce documentation.
Please note: The instructions below refer to the Salesforce Outlook Plug-in. The changes connected to the Secure Future Initiative do not impact the Microsoft 365 Email Sync.
- What's Changing
- Timeline and Key Milestones for Legacy Token Deprecation
- Actions for Microsoft 365 Administrators
- Nested App Authentication (NAA) and Exchange Token Deprecation
- Impact on Outlook Add-ins
- Administrator Responsibilities
-
Additional Resources
What's Changing
As part of Microsoft's Secure Future Initiative, legacy Exchange Online tokens will be deprecated starting in February 2025, impacting the Salesforce Outlook integration for many users. This transition is part of a larger push to improve security by moving to Nested App Authentication (NAA) and Microsoft Graph APIs. Microsoft 365 administrators must take specific actions to ensure the Salesforce Outlook integration continues functioning after legacy tokens are turned off. Salesforce administrators do not have the required permissions to make these changes; Microsoft 365 administrators must act before the tokens are disabled.
Failure to complete these steps may result in users losing access to the Salesforce Outlook integration after the updates take effect.
Timeline and Key Milestones for Legacy Token Deprecation
- February 2025 – Legacy Exchange Online tokens will be turned off for all tenants. Administrators can reenable tokens via PowerShell.
- June 2025 – Legacy tokens will no longer be reenabled via PowerShell. Exceptions can be requested from Microsoft.
-
October 2025 – Legacy tokens will be fully disabled for all tenants, with no exceptions allowed.
Actions for Microsoft 365 Administrators
Microsoft 365 Administrators must take the following actions to ensure the continued functionality of the Salesforce Outlook integration:
Verify Policies for Compatibility (Required)
Before Microsoft turns off Exchange tokens, verify that Microsoft 365 policies will not block the Salesforce Outlook integration. Ensure the following OAuth scopes are available for the integration to function correctly:
- Calendars.ReadWrite.Shared
- Mail.ReadWrite.Shared
- offline_access
- openid
- profile
- User.Read
If any of these are disabled, the integration will fail.
Implement Admin Consent Flow (Suggested)
To streamline the process for end users, it is highly recommended to use the Admin Consent Flow, which automates the scope authorization process for all users in the tenant. This prevents individual users from being prompted to authorize the integration after changes are rolled out. Microsoft 365 administrators can use a specific link to initiate this flow, which is available from the Outlook Integration and Sync page in Salesforce Setup.
Test and Validate Before Deadlines (Suggested)
Microsoft 365 administrators can proactively test before the full rollout:
- Authorize the Salesforce Outlook integration using the Admin Consent Flow.
- Manually disable Exchange Online tokens starting in October 2024 to ensure proper functionality.
Testing can also be done by verifying if users can still access the integration after completing the Microsoft authentication and Salesforce authorization flows.
Nested App Authentication (NAA) and Exchange Token Deprecation
In February 2025, Microsoft will begin the process of deprecating legacy Exchange user identity and callback tokens, transitioning to Nested App Authentication (NAA). NAA allows for a more secure, flexible approach to authentication within Microsoft applications like Outlook, enhancing security by using Entra ID tokens and Microsoft Graph APIs.
For developers and organizations using add-ins with legacy tokens, it’s critical to migrate to NAA before the February 2025 deadline.
NAA Transition Timeline
- October 2024 – NAA is generally available in the Current Channel.
- November 2024 – NAA will be available in the Monthly Enterprise Channel.
- January 2025 – NAA becomes available in the Semi-Annual Channel.
- June 2025 – NAA will be available in the Semi-Annual Extended Channel.
How to Migrate to NAA
- For Add-in Developers: Migrate to NAA by enabling Single Sign-On (SSO) using Entra ID tokens and Microsoft Graph. Detailed documentation on setting up NAA can be found here.
- For Admins: Ensure any add-ins relying on legacy Exchange tokens (e.g., using makeEwsRequestAsync, getUserIdentityTokenAsync, or getCallbackTokenAsync) are migrated to NAA or Microsoft Graph APIs before the deprecation.
Add-ins that continue using legacy tokens will stop functioning once tokens are turned off. To ensure continuity, confirm migration plans with ISVs or developers. The shift to NAA enhances security with features like zero trust, multi-factor authentication, and conditional access, which aren't available with legacy tokens.
Impact on Outlook Add-ins
Outlook Web Add-ins are primarily affected by the deprecation of legacy tokens, particularly those using Exchange Web Services (EWS) or Outlook REST APIs. However, COM add-ins, which don’t rely on these tokens, are less likely to be impacted.
If your organization uses Salesforce for Outlook or other ISV add-ins, ensure the developer is transitioning to NAA. Microsoft's official documentation provides a list of add-ins affected by this change.
Admin Consent Flow and Migration Steps
Admins can use the Admin Consent Flow to authorize required scopes for all users, making the migration smoother. The process involves:
- Signing in as a Microsoft 365 administrator.
- Reviewing and consenting to the required scopes.
- Deploying the updated app manifest via central deployment or admin consent URI provided by ISVs.
If an add-in is published in the Microsoft Store or deployed via central deployment, admins will be prompted to consent to the updated scopes.
How to Know if Your Add-in Relies on Legacy Tokens
To check if your Outlook add-in is using legacy tokens, search the code for the following API calls:
- makeEwsRequestAsync
- getUserIdentityTokenAsync
- getCallbackTokenAsync
If any of these are used, your add-in is likely relying on legacy tokens and should be migrated to NAA.
Administrator Responsibilities
Please note the following:
- Salesforce Administrators must rely on Microsoft 365 administrators to implement the required changes for the Outlook integration to continue functioning after the 2025 changes.
-
Microsoft 365 Administrators must act promptly to verify compatibility with the new token system, perform admin consent and test the integration before legacy tokens are turned off.
Additional Resources
Salesforce Help: Microsoft Updating Salesforce Outlook Integration 2024
Microsoft FAQ: Nested app authentication and Outlook legacy tokens deprecation
Comments
Article is closed for comments.