Turn legacy Exchange Online tokens on or off
Legacy Exchange Online tokens are deprecated and will begin being turned off across Microsoft 365 tenants in February 2025. If you are a developer migrating your Outlook add-in from legacy tokens to Entra ID tokens and nested app authentication, you'll need to test updates to your add-in. You can use the Exchange Online PowerShell cmdlets to turn legacy tokens on or off. Turn off legacy tokens in a test tenant to confirm that your updated Outlook add-in is working correctly.
For more information about deprecation of legacy Exchange Online tokens, see Nested app authentication and Outlook legacy tokens deprecation FAQ.
Connect to Exchange Online PowerShell
To run the commands you need to connect to Exchange Online PowerShell.
- Open PowerShell.
- Run the command
Import-Module ExchangeOnlineManagement. For more information about this command, see Exchange Online PowerShell. - To be sure you are on the latest version of the module, run the command
Update-Module -Name ExchangeOnlineManagement. - Run the command
Connect-ExchangeOnline. Sign in with your Microsoft 365 administrator credentials.
Turn off legacy Exchange Online tokens
The Set-AuthenticationPolicy command controls the issuance of legacy Exchange Online tokens. When issuance is turned off, add-ins can no longer request user identity tokens or callback tokens. Existing tokens already issued will continue to work until they expire. It can take up to 24 hours before all request from Outlook add-ins for legacy Exchange Online tokens are blocked.
To turn legacy tokens off, run the following command.
Set-AuthenticationPolicy –BlockLegacyExchangeTokens -Identity "LegacyExchangeTokens"
The command turns off legacy tokens for the entire tenant. If an Outlook add-in requests a legacy token, it won’t be issued a token.
Note
If you've confirmed that your tenant is not using any add-ins that require legacy Exchange Online tokens, we recommend you turn off legacy Exchange Online tokens as a security best practice. For more information on how to determine if you tenant has add-ins using legacy tokens, see the Nested app authentication and Outlook legacy tokens deprecation FAQ.
Turn on legacy Exchange Online tokens
To turn legacy tokens on, run the following command. It can take up to 24 hours before all requests from Outlook add-ins for legacy tokens are allowed.
Set-AuthenticationPolicy –AllowLegacyExchangeTokens -Identity "LegacyExchangeTokens"
You’ll only be able to turn tokens back on until June 2025 when all legacy tokens in all tenants will be forced off. For more information, see the Nested app authentication and Outlook legacy tokens deprecation FAQ.
Note
It might take up to 24 hours for the change to take effect across your entire organization. Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization will remain valid until they expire.