This article includes links to and includes information from outside resources. We are not responsible for the content on the external site. If there is a link that does not work, please email [email protected] and we will attempt to adjust the information with an updated link.
Through its Secure Future Initiative, Microsoft is updating how Outlook add-ins, including the Salesforce Outlook Integration, handle security. In the coming months, Microsoft will deprecate old methods of allowing add-ins to access data, called Exchange tokens. Instead of Exchange tokens, Microsoft Outlook add-ins will use a newer, safer method called Nested App Authentication (NAA). NAA allows apps to use single sign-on (SSO). This means apps inside Outlook can log in securely using modern technology. The old Exchange tokens will stop working over time, and by October 2025, you won't be able to use them at all.
Note: This change only impacts Exchange Online. Firms using on-premises Exchange environments do not need to take any action.
This change requires Microsoft 365 (M365) admins to take steps to prevent users from being able to access the Salesforce Outlook integration. Microsoft 365 Admins, not Salesforce Admins, will need to take action.
Action Required
1. Action 1 (Required): Have a M365 Admin use the Admin Consent Flow, which will automate the scope authorization process for all users in an account’s tenant so that individual users do not have to manually authorize the integration after Microsoft rolls out changes. This step ensures that the scopes in Action 2 can be pushed to Users through the Salesforce for Outlook app that will automatically be added to Entra.
-
This link, along with instructions for M365 admins, can be found on the “Outlook Integration and Sync” page in Setup.
2. Action 2 (Required): After using the Admin Consent Flow to install the Salesforce for Outlook Entra App, ensure that the scopes in the bulleted list below are enabled for the app.
The following scopes are required for the Salesforce Outlook integration to function:
- Calendars.ReadWrite.Shared
- Mail.ReadWrite.Shared
- offline_access
- openid
- profile
- User.Read
For example, if Calendars.ReadWrite.Shared is unavailable to all integrations, the Salesforce Outlook integration will not function.
Testing
Firms can also test before the deadlines.
-
To test, firms can take the following actions before changes are rolled out:
-
Authorize the Salesforce Outlook integration for users in the tenant using the Admin Consent Flow (please see the details from Microsoft).
-
Manually turn off Exchange Online tokens. Microsoft will be adding this capability in October 2024. Latest timeline and updates can be found in the Microsoft FAQ here.
-
Launch the Outlook integration, verify the Microsoft authorization and Salesforce authentication flow, then verify users can access the application as expected.
-
Timeline
The following table lists the key milestones based on which channels firms are using. Learn more about Release Channels here.
Date | Release channel(s) | Legacy tokens status and NAA General Availability (GA) |
---|---|---|
Oct 2024 | All channels | New PowerShell options for enabling/disabling legacy tokens for entire tenant or specific AppIDs. |
Oct 2024 | Current Channel | Legacy tokens turned off for tenants not using them; NAA will GA in Current Channel. |
Nov 2024 | Monthly Enterprise Channel | Legacy tokens turned off for tenants not using them; NAA will GA in Monthly Enterprise Channel. |
Jan 2025 | Current and Semi-Annual Channels | Legacy tokens turned off for all tenants in Current and Semi-Annual Channels. Admins can reenable via PowerShell. NAA will GA in Semi-Annual Channels. |
Feb 2025 | Monthly Enterprise Channel | Legacy tokens turned off for all tenants in Monthly Enterprise. Admins can reenable via PowerShell. |
Jun 2025 | Semi-Annual Extended Channel | Legacy tokens off for all tenants in Semi-Annual Extended Channel. NAA will GA in Semi-Annual Extended Channel. |
Jun 2025 | All channels | Admins can no longer re-enable legacy tokens via PowerShell; contact Microsoft. |
Oct 2025 | All channels | Legacy tokens turned off for all tenants, there will be no re-enable option. |
For more details, check out the Salesforce announcement here and the Microsoft FAQ here.