# Siang Chin 

Created on 25/4 


TABLE OF CONTENTS

  • Product Details
  • Issue/ Problem
  • Impact
  • Solution
  • Best Practice
  • Summary


Product : KnowBe4

Component : Phish Alert Button

Version : 1.0  Build No. : 1.0



Issue/ Problem :


Microsoft has released Nested App Authentication, which allows for easier authentication and offers enhanced security and architectural flexibility compared to traditional full-trust and on-behalf-of authentication models. Because of this, Microsoft is deprecating legacy Exchange Online tokens starting on February 17, 2025. This means all Hybrid and Microsoft Ribbon Phish Alert Buttons (PABs) connected to Microsoft 365 domains will fail unless NAA-SSO is authorized. The legacy Exchange Online tokens can be reenabled until June 2025. 




Impact :


All Hybrid and Microsoft Ribbon Phish Alert Buttons (PABs) connected to Microsoft 365 domains will fail. 


Note:If you use the Microsoft Outlook (EXE Version) PAB, these changes will not affect your PAB usage. 



Solution : 


Authorizing Graph APIs and NAA-SSO in your Phish Alert account settings. 



Prerequisites for NAA-SSO

  • Microsoft 365, which requires Global Administrator role to accept permissions.
  • Exchange Online, which requires Global Administrator role to accept permissions.
  • Monthly Enterprise Channel Version 2409 or newer. Older versions will cause the Microsoft Ribbon PAB to time out.
  • Semi-Annual Channel Version 2408 or newer. Older versions will cause the Microsoft Ribbon PAB to time out.
  • Current Channel Version 2410 or newer.


Accepting Permissions for NAA-SSO

To accept permissions for the NAA-SSO with Microsoft, follow the steps below. 

  1. 1. Log in to your KSAT account and click on your email address in the top-right corner of the page.
  2. 2. Select Account Settings, then navigate to Account Integrations > Phish Alert.
  3. 3. Click the drop-down menu to expand your PAB settings.
  4. 4. Scroll down and click Authorize NAA-SSO for GRAPH APIs. You’ll be redirected to a Microsoft 365 login page.
    Note: You’ll also need to click Accept Microsoft Permissions to Authorize GRAPH APIs for the PAB if those permissions haven’t been previously accepted.
  5. 5. Log in to your Microsoft 365 account using your admin credentials.
  6. 6. Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
    Note: If multiple PAB instances are deployed to different Microsoft 365 tenants, you must accept the permissions to Authorize Graph APIs and NAA-SSO for each PAB instance on each tenant.
  7. 7. Once you accept the permissions, the GRAPH Authorization Successful window will display. It can take up to 48 hours after accepting the permissions for NAA-SSO to apply to your user's Microsoft Outlook profiles.


Best Practice: 


We recommend repeating steps 1-7 in the Accepting Permissions for NAA-SSO section above. If this does not resolve this issue, try redeploying the PAB by following steps 1 through 4 below.

  1. 1. Uninstall the current PAB in your Microsoft 365 admin center by going to Settings > Integrated Apps > Add-ins.
  2. 2. Find your PAB add-in in the list.
  3. 3. Select the add-in and click Remove app.
  4. 4. Reinstall the PAB manifest file. See our PAB installation guides for more information.


Summary : 

 

Microsoft is retiring legacy Exchange Online tokens starting February 17, 2025, which will cause all Hybrid and Microsoft Ribbon Phish Alert Buttons (PABs) linked to Microsoft 365 to stop working unless Nested App Authentication with SSO (NAA-SSO) is enabled. Outlook EXE version PABs are not affected. To avoid disruption, admins must authorize Graph APIs and NAA-SSO in their Phish Alert settings using Microsoft 365 Global Admin credentials. If problems persist after authorization, redeploying the PAB is recommended.