Configuring nested app authentication for Office add-ins

Nested app authentication (NAA) for Office add-ins replaces legacy Exchange tokens with Microsoft Entra ID policies, as required by Microsoft’s security standards. This ensures compliance with Exchange data access protocols and supports secure authentication workflows. Account owners and admins can configure NAA via the Azure portal and manage it directly within the Zoom web portal.

Requirements for configuring nested app authentication (NAA) for Office add-ins

• Zoom desktop app for Windows or macOS
• Outlook Web Access (OWA)
• Zoom for Outlook add-in installed
• Azure admin privileges
• Account owner or admin privileges

Note: Nested app authentication (NAA) is only supported with Exchange Online. Organizations using Exchange 2019 (or other on-premises versions of Exchange) will need to continue utilizing legacy Exchange user identity tokens and callback tokens, as these are not blocked in on-premises environments.

How to configure NAA for Office add-ins

Enable NAA in the Zoom web portal

1. Sign in to the Zoom web portal.
2. Click Account Management, then Account Settings.
3. Click the Mail & Calendar tab.
4. Under Integrations, click the Enable Nested app authentication for Outlook Add-in SSO toggle to enable or disable the option.
5. If a verification dialog appears, click Accept to grant Zoom the necessary access.
   Note: Enter the Office 365 administrator username and password in the dialog box that appears (if not already).

(Optional) Create custom Azure application

Admins can create their own Azure application if preferred. Once configured, a request must be submitted to Zoom Support to enable the use of the custom Azure app.

1. Sign in to the Azure portal.
2. In the navigation menu, click App registrations, then click New registration.
3. Under Name, type Zoom-Office-Add-in-NAA.
4. Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com).
5. Under Redirect URL (optional), select Single-page application(SPA) then brk-multihub://zoom.us.
6. Click Register.
7. In the navigation menu, expand the Manage section, then click API permissions.
8. Under Microsoft Graph, next to User.Read, click Remove permission.
9. Click Add a permission, then select Microsoft Graph.
10. Click Delegated permissions.
11. Under Permission, select Calendars.Read, then click Add permissions.
12. Click Authentication.
13. Under Add URL, add the following redirect URLs:
    • brk-multihub://zoomgov.com
    • https://zoom.us/office365/nested_app_auth
    • https://zoomgov.com/office365/nested_app_auth
14. Click Save.