Modifying Outlook add-in setup for Nested App Authentication (NAA)
Starting February 1, 2025, Microsoft Exchange Online requires all Outlook add-ins to use Nested App Authentication (NAA).
Modify the existing Outlook add-in setup
Complete these steps to continue using the Business Central add-in for Outlook after February 01, 2025.
Upgrade Business Central to at least version 25.3, 24.9, or 23.15 depending on your current version.
Expose the API of the registered app in the Microsoft Entra ID used to authenticate users with Business Central.
If your deployment is set up for the Outlook add-in, you already have an app registration in the Microsoft Entra admin center for authenticating Business Central users with Microsoft Entra ID. You might be using this same app registration for connecting Business Central to Outlook, or you might be using a separate app registration. This step applies to the app registration used for user authentication.
In the app registration, expose the Business Central API with a scope requiring admin and user consent:
Sign in to Microsoft Entra admin center and open the app registration.
Select Expose an API.
If there's no value for Application ID URI, select Add > Save. Make note of the Application ID URI for later.
On the Expose an API page, select Add a scope and configure these settings:
Setting Value Example Scope name Specify a meaningful name for a permission scope. BusinessCentralOnPrem.Access Consent Choose Admins and users. Admin consent display name Specify a meaningful name for admin consent. Access Business Central as the signed-in user Admin consent description Specify a meaningful description. Business Central is a business management solution that helps organizations work smarter, adapt faster, and perform better. User consent display name Specify a meaningful name for user consent. Have full access to Business Central User consent description Specify a meaningful description. Allow the application full access to Dynamics 365 on your behalf. Make a note of the scope's name on the Expose an API page and app registration's display name on the Overview page. You might need this information later.
Learn more in Configure an application to expose a web API.
Create a new app registration specifically for connecting Outlook with Business Central:
Follow the instructions in Register an app that connects Outlook and Business Central.
Configure the Business Central web server instance to work with Exchange Online
Learn more in Configure the Business Central web server instance to work with Exchange Online.
Learn more details about these steps in Set up the add-ins for Outlook in Business Central on-premises.
Why is this action needed?
The Outlook add-ins previously relied on Exchange Online tokens for authentication, which are deprecated and turned off starting in February 2025. Learn more in Nested app authentication and Outlook legacy tokens deprecation FAQ.
To continue using legacy Exchange Online tokens and delay the automatic switch to NAA, you can turn on the tokens. Learn more in Turn on legacy Exchange Online tokens. This change affects all add-ins and integrations in your environment.
Related information
Install minor update for version 25
Install minor update for version 24
Install minor update for version 23
Set up the add-ins for Outlook in Business Central on-premises
Use Business Central as your Business Inbox in Outlook