Identify usage of exchange legacy tokens

[Alaa-Elias-Gong]

@davidchesnut

Could you share how you determined that the app depends on Exchange legacy tokens for its integration?

I reviewed the documentation on identifying the use of Exchange tokens (https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens), but we don’t appear to be using them—yet our app is still listed as one that does.

[davidchesnut]

Hi @Alaa-Elias-Gong,

It's possible your add-in was a false positive in the telemetry we ran. I can remove it from the list if you want. One way to test for sure is to turn off tokens in a test tenant and then run your add-in to see if it breaks (which would indicate it requested an Exchange token.) Let me know if you want me to remove it from the list.

Thanks,
David

[Alaa-Elias-Gong]

@davidchesnut

Unfortunately in order to block usage of legacy tokens, the tenant most have premium subscription as you are not allowed to add conditional access policy with the free subscription (Dedicated for our test tenant)

[davidchesnut]

BTW: we ran the telemetry back in October 2024. So if your add-in used to use Exchange tokens, but you updated it, that would also be a reason it appeared in the list.

[davidchesnut]

Hi @Alaa-Elias-Gong, we have tooling available to turn off tokens in a test tenant. No CAP needed. See Turn legacy Exchange Online tokens on or off.

Cheers,
David

[Alaa-Elias-Gong]

@davidchesnut

Hi David

We want to avoid affecting any current customers, so it’s safer to confirm that something isn’t being used before turning it off. I’ve already checked a few applications by using a policy that blocks using legacy tokens for our testing organization.

In the CSV, you’ve included the tenant ID, but that ID covers multiple applications we manage. Are you able to identify which specific applications are using the legacy token for that tenant?

Appreciate your help

Tenant-id = 40efcf3f-bd65-4f4a-9928-5f6254e35b57