Last year, we introduced Nested App Authentication (NAA) in public preview as a modern protocol for simplifying authentication for Personal Tab Teams apps that run across Microsoft Teams, Outlook, and Microsoft 365. Today, we’re excited to announce that NAA is now generally available across all hosts and platforms.
What’s new & why you should adopt NAA
Nested App Authentication delivers a more secure and consistent sign-in experience while simplifying development:
- Delivers platform support and simplifies integration – NAA is now fully supported on desktop, mobile, and web for Personal tab Teams Apps running on Teams, Outlook, Office, and for Office Add-ins in Outlook. By leveraging Microsoft Authentication Library (MSAL.js), you can fetch tokens directly from client code without the need for a middle-tier service.
- Enables incremental and dynamic consent for scope permissions – allowing you to request tokens for any AAD-protected resource the user has consented to, without having to specify the resource in the app manifest or use the OBO flow.
- Removes the reliance on third-party cookies for authenticating users in supported web-hosts, so when cookies are blocked the user can still authenticate without any UX interruptions to their workflow.
How to get started
To enable Nested App Authentication, follow these steps:
- Register Your App with Entra ID
- Update Redirect URIs
- Integrate the Latest SDK – latest Microsoft Teams JavaScript SDK
- Add a Fallback Authentication Method (in case the app runs on legacy, unsupported hosts)
- Test Across Environments (Mobile, Web, Desktop, etc.)
For detailed guidance, visit our Nested App Authentication documentation and sample app repository. For Outlook Add-in support, read the Office Add-in with nested app authentication documentation.
We value the feedback from our developer community that helped shape NAA into a robust authentication solution. Dive in today to build more secure, consistent, and scalable applications across Microsoft 365.
Happy coding!
Is there any roadmap to support Nested App Authentication on remaining hosts to avoid the need for a fallback mechanism?
Thanks
Are you asking about Office Add-ins?
I’m more interested in Teams tabs auth but that question remains valid for all types of app.
I work with ISVs and startups developing multi-tenant Teams applications published on the store.
As long as a fallback mechanism is still required, I don’t see the point in migrating to this new approach.