Microsoft Updating Salesforce Outlook Integration 2024/2025

 As a part of its Secure Future Initiative, Microsoft is deprecating legacy features that will impact the Salesforce Outlook integration in the coming months. Microsoft is moving to Nested App Authentication (NAA)

This Knowledge Base article outlines steps that Microsoft 365 (M365) admins must take to support Salesforce admins in ensuring that they maintain access to their Salesforce Outlook integration as the feature is updated in 2024 and 2025. Salesforce admins will not have the required permissions/access to make these changes. M365 admins must execute these steps before Exchange Online tokens are turned off in the tenant. Failure to do so could prevent users from being able to access the Salesforce Outlook integration.

Microsoft refers to this as “Nested App Authentication,” or NAA. Please refer to the official Microsoft documentation, available here, for more information including timelines based on which channel(s) customers are using. While we encourage customers to work on implementing these changes immediately, any questions related to the exact timing for the milestones outlined should be directed to M365 admins. 

• When reviewing the documentation outlined above, there are two key milestones to be mindful of: 

  • Date when Microsoft turns off Exchange Online tokens for all tenants. At this point, an admin will be able to re-enable Exchange tokens for a tenant or a specific add-in.

  • Date when Microsoft removes the option to re-enable Exchange tokens. At this point, if an admin has not taken the actions outlined in this Knowledge Base article, it’s possible that users will no longer be able to access the integration.

We strongly suggest that M365 admins use the Admin Consent Flow, which will automate the scope authorization process for all users in an account’s tenant so that individual users do not have to manually authorize the integration after Microsoft rolls out changes.  M365 admins can use this link to initiate the Admin Consent Flow.  Note that this link must be used by a M365 admin.   

• While not required, this step will make the migration more seamless for end users, and alleviate confusion that may come from prompting a user to authenticate the application.

• This link, along with instructions for M365 admins, can be found on the  “Outlook Integration and Sync” page in Setup.

All users are notified of these changes by a banner message that reads,  “Upcoming Microsoft changes might block access to this application. To avoid losing access to your Outlook add-in, notify your Salesforce admin about this message.”

• There is no way to disable this banner message.  It is displayed for all users.
• If a user dismisses the message, it will not reappear.
• Once a user is not using legacy tokens, the message will be suppressed entirely.