Sharing IT knowledge ...and a little more

Nested App Authentication (NAA) for Exchange Add-Ins

by ·

This post is a bit late but better late than never. Microsoft is deprecating legacy Exchange tokens for Exchange and Outlook Add-ins. Nest App Authentication (NAA) provides simpler authentication and top tier identity protection through APIs designed specifically for add-ins in Office hosts. What does this mean for you? Perhaps nothing. However, if you haven’t already been receiving email notifications from various vendors of Outlook Add-Ins, then you will.

Basically, as an admin of your Microsoft 365 tenant, you just need to verify that your Outlook Add-ins are NAA compliant. See the following announcement Microsoft blog post for details and this post on the steps-by-step process on how to do this.

The PowerShell code below will retrieve all Add-Ins in your tenant and then list whether they are NAA Compliant or not and also create a CSV with the results. This is the first step all Admins need to take to make sure they don’t have any old apps that need to be updated. 

# Connect to the Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "User.Read.All", "Application.Read.All"

# Retrieve all service principals
$allServicePrincipals = Get-MgServicePrincipal -All

# Check if any service principals were retrieved
if ($allServicePrincipals) {
    Write-Output "Retrieved $($allServicePrincipals.Count) service principals."

    # Prepare a report of all service principals with relevant information
    $report = @()

    foreach ($sp in $allServicePrincipals) {
        # Get token usage policies for each Service Principal
        $tokenUsage = Get-MgServicePrincipalTokenLifetimePolicy -ServicePrincipalId $sp.Id

        # Determine token compliance status
        $complianceStatus = if ($tokenUsage -contains "LegacyToken") { "Using Legacy Tokens" } else { "NAA Compliant" }

        # Add details to the report
        $report += [pscustomobject]@{
            DisplayName    = $sp.DisplayName
            AppId          = $sp.AppId
            ObjectId       = $sp.Id
            AccountEnabled = $sp.AccountEnabled
            Compliance     = $complianceStatus
        }
    }

    # Display the report on screen
    $report | Format-Table -AutoSize

    # Export the report to a CSV file
    $csvPath = "ServicePrincipalReport.csv"
    $report | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8

    Write-Output "Report has been saved to '$csvPath'."
} else {
    Write-Output "No service principals retrieved."
}

If any of your Add-Ins are not NAA compliant, then contact the developer to update the code.

That’s it!

Tags:

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology Director. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Gawie
Gawie
1 year ago

Hi George

Thank you very much for sharing this! I had to figure out if the SalesForce outlook add-in would be affected by the Exchange legacy tokens getting disabled soon. This script worked perfect. I just altereded the CSV path to another foldr on my laptop.

Regards
Gawie

0
Reply
George Almeida
Author
George Almeida
1 year ago
Reply to  Gawie

Gawie, so happy this helped you. Thank you for your comments!

0
Reply
2
0
Would love your thoughts, please comment.x
()
x