This article includes links to and includes information from outside resources. We are not responsible for the content on the external site. If there is a link that does not work, please email [email protected] and we will attempt to adjust the information with an updated link. 

Through its Secure Future Initiative, Microsoft is updating how Outlook add-ins, including the Salesforce Outlook Integration, handle security. In the coming months, Microsoft will deprecate old methods of allowing add-ins to access data, called Exchange tokens. Instead of Exchange tokens, Microsoft Outlook add-ins will use a newer, safer method called Nested App Authentication (NAA). NAA allows apps to use single sign-on (SSO). This means apps inside Outlook can log in securely using modern technology. The old Exchange tokens will stop working over time, and by October 2025, you won't be able to use them at all. 

Note: This change only impacts Exchange Online. Firms using on-premises Exchange environments do not need to take any action.

This change requires Microsoft 365 (M365) admins to take steps to prevent users from being able to access the Salesforce Outlook integration. Microsoft 365 Admins, not Salesforce Admins, will need to take action.

Action Required

1. Action 1 (Required): Verify that M365 is not configured with policies that will prevent the Outlook integration from working after Exchange Online tokens are turned off in the tenant. Failure to do so could prevent all users from accessing the Outlook integration.

The following scopes are required for the Salesforce Outlook integration to function:

• Calendars.ReadWrite.Shared
• email
• Mail.ReadWrite.Shared
• offline_access
• openid
• profile
• User.Read

• For example, if Calendars.ReadWrite.Shared is unavailable to all integrations, the Salesforce Outlook integration will not function.

2. Action 2 (suggested and Coming Soon): Use the Admin Consent Flow that is currently under development. This will automate the scope authorization process for all users in an account’s tenant so that individual users do not have to manually authorize the integration after Microsoft rolls out changes. This feature is currently unavailable but will be released soon. We will update this article when it is live. While not required, this step will make the migration more seamless for all users, and alleviate confusion around prompting a user to authenticate the application. Authorize the integration for all users in the tenant by clicking on the  “Outlook Integration and Sync” page in Setup.

Testing

Firms can also test before the deadlines. 

• To test, firms can take the following actions before changes are rolled out: 

  • Authorize the Salesforce Outlook integration for users in the tenant using the Admin Consent Flow (please see the details from Microsoft).

  • Manually turn off Exchange Online tokens. Microsoft will be adding this capability in October 2024.  Latest timeline and updates can be found in the Microsoft FAQ here.

  • Launch the Outlook integration, verify the Microsoft authorization and Salesforce authentication flow, then verify users can access the application as expected.  

Timeline 

The following table lists the key milestones based on which channels firms are using. Learn more about Release Channels here. 

For more details, check out the Salesforce announcement here and the Microsoft FAQ here.