Skip to content

[AutoPublish] main to live - 10/30 13:32 PDT | 10/31 02:02 IST #13213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 30, 2025
Merged

[AutoPublish] main to live - 10/30 13:32 PDT | 10/31 02:02 IST #13213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
49a9812
Update note
samantharamon Oct 30, 2025
e783297
Merge branch 'main' into samramon-legacy-tokens
samantharamon Oct 30, 2025
7ba9702
Merge pull request #13212 from samantharamon/samramon-legacy-tokens
chrisda Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 1 addition & 11 deletions exchange/exchange-ps/ExchangePowerShell/Get-AuthenticationPolicy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,6 @@ Get-AuthenticationPolicy -Identity "Engineering Group"

This example returns detailed information for the authentication policy named Engineering Group.

### Example 3
```powershell
Get-AuthenticationPolicy -AllowLegacyExchangeTokens
```

In Exchange Online, this example specifies whether legacy Exchange tokens for Outlook add-ins are allowed in the organization.

## PARAMETERS

### -Identity
Expand Down Expand Up @@ -87,10 +80,7 @@ The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens ar

Legacy Exchange tokens include Exchange user identity and callback tokens.

**Important**:

- Legacy Exchange Online tokens will be turned off for all organizations from August 2025 through September 2025. Once turned off, you can't use the _AllowLegacyExchangeTokens_ switch on the **Set-AuthenticationPolicy** cmdlet to turn on these tokens. You get the warning "Legacy Exchange Online tokens are disabled" when you run the command `Get-AuthenticationPolicy -AllowLegacyExchangeTokens`. You can [contact Microsoft Support to request an exception](https://aka.ms/LegacyTokensByOctober). For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens).
- The AllowLegacyExchangeTokens switch returns `Not Set` if tokens haven't been explicitly allowed or blocked in your organization using the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
**Important**: Legacy Exchange Online tokens are turned off for all organizations. Exemptions are no longer allowed.

```yaml
Type: SwitchParameter
Expand Down
14 changes: 1 addition & 13 deletions exchange/exchange-ps/ExchangePowerShell/Remove-AuthenticationPolicy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,6 @@ Remove-AuthenticationPolicy -Identity "Engineering Group"

This example removes the authentication policy named "Engineering Group".

### Example 2
```powershell
Remove-AuthenticationPolicy -Identity "LegacyExchangeTokens" -AllowLegacyExchangeTokens
```

In Exchange Online, this example enables legacy Exchange tokens to be issued to Outlook add-ins. This switch applies to the entire organization. The Identity parameter is required, and its value must be set to "LegacyExchangeTokens". Specific authentication policies can't be applied.

## PARAMETERS

### -Identity
Expand Down Expand Up @@ -85,12 +78,7 @@ Legacy Exchange tokens include Exchange user identity and callback tokens.

This switch applies to the entire organization. The Identity parameter is required, and its value must be set to "LegacyExchangeTokens". Specific authentication policies can't be applied.

**Important**:

- Legacy Exchange Online tokens will be turned off for all organizations from August 2025 through September 2025. Once turned off, you can't use the _AllowLegacyExchangeTokens_ switch on the **Set-AuthenticationPolicy** cmdlet to turn on these tokens. You get the warning "Legacy Exchange Online tokens are disabled" when you run the command `Get-AuthenticationPolicy -AllowLegacyExchangeTokens`. You can [contact Microsoft Support to request an exception](https://aka.ms/LegacyTokensByOctober). For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens).
- Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
- It might take up to 24 hours for the change to take effect across your entire organization.
- Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization will remain valid until they expire.
**Important**: Legacy Exchange Online tokens are turned off for all organizations. Exemptions are no longer allowed.

```yaml
Type: SwitchParameter
Expand Down
21 changes: 2 additions & 19 deletions exchange/exchange-ps/ExchangePowerShell/Set-AuthenticationPolicy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,13 +78,6 @@ Set-AuthenticationPolicy -Identity "Research and Development Group" -BlockLegacy

In Exchange 2019, this example re-enables Basic authentication for Exchange Reporting Web Services in the authentication policy named Research and Development Group.

### Example 3
```powershell
Set-AuthenticationPolicy -Identity "LegacyExchangeTokens" -BlockLegacyExchangeTokens
```

In Exchange Online, this example blocks legacy Exchange tokens from being issued to Outlook add-ins. The switch applies to the entire organization, and the Identity parameter must be set to the value "LegacyExchangeTokens". Specific authentication policies can't be applied.

## PARAMETERS

### -Identity
Expand Down Expand Up @@ -397,11 +390,7 @@ Legacy Exchange tokens include Exchange user identity and callback tokens.

The switch applies to the entire organization. The Identity parameter is required and must be set to the value "LegacyExchangeTokens". Specific authentication policies can't be applied.

**Important**:

- Legacy Exchange Online tokens will be turned off for all organizations from August 2025 through September 2025. Once turned off, you can't use the _AllowLegacyExchangeTokens_ switch on the **Set-AuthenticationPolicy** cmdlet to turn on these tokens. You get the warning "Legacy Exchange Online tokens are disabled" when you run the command `Get-AuthenticationPolicy -AllowLegacyExchangeTokens`. You can [contact Microsoft Support to request an exception](https://aka.ms/LegacyTokensByOctober). For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens).
- Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
- It might take up to 24 hours for the change to take effect across your entire organization.
**Important**: Legacy Exchange Online tokens are turned off for all organizations. Exemptions are no longer allowed.

```yaml
Type: SwitchParameter
Expand Down Expand Up @@ -611,13 +600,7 @@ Legacy Exchange tokens include Exchange user identity and callback tokens.

The switch applies to the entire organization. The Identity parameter is required and must be set to the value "LegacyExchangeTokens". Specific authentication policies can't be applied.

**Important**:

- Legacy Exchange Online tokens will be turned off for all organizations from August 2025 through September 2025. Once turned off, you can't use the _AllowLegacyExchangeTokens_ switch on the **Set-AuthenticationPolicy** cmdlet to turn on these tokens. You get the warning "Legacy Exchange Online tokens are disabled" when you run the command `Get-AuthenticationPolicy -AllowLegacyExchangeTokens`. You can [contact Microsoft Support to request an exception](https://aka.ms/LegacyTokensByOctober). For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens).
- Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
- It might take up to 24 hours for the change to take effect across your entire organization.
- Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization remain valid until they expire.
- Blocking legacy Exchange tokens might cause some Microsoft add-ins to stop working. These add-ins are being updated to no longer use legacy tokens.
**Important**: Legacy Exchange Online tokens are turned off for all organizations. Exemptions are no longer allowed.

```yaml
Type: SwitchParameter
Expand Down