Microsoft PABs

Share

Is this article helpful?

Last updated:

Update to Nested App Authentication Single Sign-On (NAA-SSO) for the Phish Alert Button (PAB)

Microsoft has released Nested App Authentication, which allows for easier authentication and offers enhanced security and architectural flexibility compared to traditional full-trust and on-behalf-of authentication models. Because of this, Microsoft is deprecating legacy Exchange Online tokens starting on February 17, 2025. This means all Hybrid and Microsoft Ribbon Phish Alert Buttons (PABs) connected to Microsoft 365 domains will fail unless NAA-SSO is authorized. The legacy Exchange Online tokens can be reenabled until June 2025.

Due to these changes, we recommend authorizing Graph APIs and NAA-SSO in your Phish Alert account settings. For more information, see Microsoft’s Nested app authentication and Outlook legacy tokens deprecation FAQ.

Important:On February 25, 2025, we updated the fallback mechanism for the Microsoft Ribbon and Hybrid PABs. This updated manifest will allow the Microsoft Ribbon and Hybrid PABs to switch from NAA-SSO to SSO-OBO whenever it is in an environment that does not support NAA-SSO. You will need to update your XML manifest to implement the improved fallback mechanism.
Note:If you use the Microsoft Outlook (EXE Version) PAB, these changes will not affect your PAB usage.

Prerequisites for NAA-SSO

  • Microsoft 365, which requires Global Administrator role to accept permissions.
  • Exchange Online, which requires Global Administrator role to accept permissions.
  • Monthly Enterprise Channel Version 2409 or newer. Older versions will cause the Microsoft Ribbon PAB to time out.
  • Semi-Annual Channel Version 2408 or newer. Older versions will cause the Microsoft Ribbon PAB to time out.
  • Current Channel Version 2410 or newer.
Note: Safari and Firefox browsers may block the pop-up window when using the PAB in Outlook Web Access (OWA).

Additional Prerequisites

NAA-SSO availability will vary depending on the version of Microsoft Office and Microsoft Outlook being used. To determine if your environment supports NAA-SSO, refer to Microsoft's Nested app auth requirement set article. Compatible versions include:

  • Microsoft Outlook on Windows (volume-licensed perpetual) Version 2408 (Build 17932.20222) or later.
  • Microsoft Outlook on Windows (retail perpetual) Version 2501 (Build 18429.20132) or later.

Important version notes:

  • Microsoft Office 2024 (volume-licensed perpetual) will support NAA-SSO. 
  • Microsoft Office 2021 (volume-licensed perpetual) will still support SSO-OBO for authentication but not NAA-SSO. 
  • Microsoft Office 2016 and 2019 (volume-licensed perpetual) will not support NAA-SSO or SSO-OBO authentication. For more information on Microsoft Office 2016 and 2019, see Microsoft's documentation.
  • Microsoft Outlook on Windows (retail perpetual) Version 2008 (Build 13127.20000) or later will support SSO-OBO authentication.
Note: Authenticating with SSO-OBO requires the Identity API v1.3. For more information see Microsoft's Identity API requirement sets article.

Accepting Permissions for NAA-SSO

To accept permissions for the NAA-SSO with Microsoft, follow the steps below. 

  1. Log in to your KSAT account and click on your email address in the top-right corner of the page.
  2. Select Account Settings, then navigate to Account Integrations > Phish Alert.
  3. Click the drop-down menu to expand your PAB settings.
  4. Scroll down and click Authorize NAA-SSO for GRAPH APIs. You’ll be redirected to a Microsoft 365 login page.
    Note: You’ll also need to click Accept Microsoft Permissions to Authorize GRAPH APIs for the PAB if those permissions haven’t been previously accepted.
  5. Log in to your Microsoft 365 account using your admin credentials.
  6. Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
    Note: If multiple PAB instances are deployed to different Microsoft 365 tenants, you must accept the permissions to Authorize Graph APIs and NAA-SSO for each PAB instance on each tenant.
  7. Once you accept the permissions, the GRAPH Authorization Successful window will display. It can take up to 48 hours after accepting the permissions for NAA-SSO to apply to your user's Microsoft Outlook profiles.

Internet Explorer NAA-SSO

If your organization uses Outlook on Microsoft Edge in Internet Explorer mode or Internet Explorer with Microsoft 365, you need to authorize permissions for Graph APIs and NAA-SSO for the PAB before June 2025 to avoid service interruption. Once permissions are authorized, you can disable legacy Exchange Online tokens and report an email with the PAB to ensure it works correctly.

Important:To use this feature, your organization must use Microsoft 365. This feature isn’t available for Exchange Online.

User Experience

Below is the user experience for Internet Explorer NAA-SSO:

  1. Click the PAB in the ribbon.
  2. It will load in the task pane and show a pop-up window.
  3. Users will need to log in to their Microsoft account the first time reporting with the PAB.
    Note:If users are unable to authenticate with NAA-SSO or SSO-OBO, the PAB will fall back to the interactive authentication mechanism that requires users to log in to Microsoft for the first time using the PAB.
  4. Click the Phish Alert button to report the email.

Troubleshooting

Note: If the issue you are experiencing is not listed in the troubleshooting steps below, contact support for assistance.

Question: Does this require me to redeploy the Phish Alert Button (PAB) XML manifest after authorizing NAA-SSO?

Answer: No, just accepting the permissions will be enough.

Question: I’m receiving the following error: "Your mail server needs a valid authentication token for the Phish Alert Button. If you need assistance with your mail server settings, please contact your admin." How can I resolve it?

Answer: This indicates that the PAB you’re using is trying to authenticate with the deprecated legacy Exchange Online token. Try the following steps to resolve the error:

  1. We recommend repeating steps 1-7 in the Accepting Permissions for NAA-SSO section above. If this does not resolve this issue, try redeploying the PAB by following steps 2 through 5 below.
  2. Uninstall the current PAB in your Microsoft 365 admin center by going to Settings > Integrated Apps > Add-ins.
  3. Find your PAB add-in in the list.
  4. Select the add-in and click Remove app.
  5. Reinstall the PAB manifest file. See our PAB installation guides for more information.
    Note:If you use the Hybrid PAB, we recommend updating the PAB XML manifest before removing and redeploying it. For more information, see our documentation on Updating and Uninstalling the Hybrid PAB.

Question: I'm receiving the following error: "We were unable to process this item. Please try again later." How can I resolve it?

Answer: Toggling on New Outlook should resolve this issue.

Question: What permission scopes does the Graph-enabled PAB use?

Answer: Here are the permission scopes used by the Graph-enabled PAB : 

  • Mail.Read: This permission allows the PAB to read the user's email and is used to get email headers, attachments and the content of the email body.
  • Mail.Read.Shared: This permission allows the PAB to read the emails of shared mailbox users and is used to get email headers, attachments and the content of the email body.
  • Mail.ReadWrite: This permission allows the PAB to read and write user emails. 
  • Mail.ReadWrite.Shared: This permission allows the PAB to read and write emails in shared mailboxes.
  • Mail.Send: This permission allows the PAB to send user emails.
  • Mail.Send.Shared: This permission allows the PAB to send emails from shared mailboxes, granted that the user has the send-as permission enabled for the shared mailbox.
  • openid: This permission allows the PAB to get basic information about the user.
  • profile: This permission allows the PAB to access the user’s profile information.

Question: Do I need to authorize Nested App Authentication Single Sign On (NAA-SSO) or Single Sign On On-Behalf-Of (SSO-OBO) for each type of PAB I use?

Answer: NAA-SSO and SSO-OBO authorizations are on a per Microsoft 365 tenant basis. This means that if you have NAA-SSO enabled for Hybrid PAB on your tenant, you don’t need to authorize it for the Microsoft Ribbon PAB or other types of PAB. This is the same for SSO-OBO.

Question: How do I check for the Microsoft Graph API permissions used by the PAB?

Answer: Using your Microsoft Entra portal, you can check the PAB's Microsoft Graph API permissions: 

  1. Login to your Microsoft Entra admin center and navigate to Applications > Enterprise Applications.
  2. Filter out the PAB by typing in ‘phish alert’ on the filter input box. 
  3. Then click on the Phish Alert button entry and check the details related to the Phish Alert button.

Question: What should I do if I enabled NAA-SSO, but the Hybrid PAB didn’t work for my environment?

Answer: Check if the PAB permissions were accepted for NAA-SSO and Graph APIs for the PAB. The permissions table will look similar to this: 

If you’ve confirmed that the permissions have been accepted and the issue still isn’t resolved, contact our support team.

Question: How long do the permissions take to update once accepted?

Answer: Permissions are updated almost instantly for browsers and new Outlook clients. However, for Windows Outlook clients, it might take some time to update. If you’re using a Windows Outlook client and your permissions are taking a while to update, we suggest deleting the WEF or cache folder of Windows Outlook.

Question: Will our users notice any difference once we authorize NAA-SSO?

Answer: The only difference users will see is that it may say Graph in the top right corner after they click the PAB to report an email.

 

Was this article helpful?

1 out of 2 found this helpful

Can't find what you're looking for?

Contact Support