Edit

Share via

Enable Microsoft Entra ID token for Actionable Messages

Important

Actionable Messages (AM) are moving from EAT (External Access Token) to Microsoft Entra ID token authentication. Partners using EAT tokens must update their integration to support AAD tokens for requests from the AM service. Starting November 21st 2025 we will stop accepting new registrations with EAT (External Access Token).

Register an app in Azure

Note

If you already have an app registration in Azure, skip to the next step.

  1. Sign in to the Microsoft Entra admin center.
  2. If you have access to multiple tenants, use the Settings icon to switch to the desired tenant via Directories + subscriptions.
  3. Go to Identity > Applications > App registrations and select New registration.
  4. Enter a display name for your application.
  5. Specify who can use the application in the Supported account types section:
    • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant): For partners doing a Global scope AM registration.
    • Accounts in this organizational directory only: For Single Tenant App (Org and test scope registration).
  6. Leave Redirect URI (optional) blank.
  7. Select Register to complete the registration.

Register a new AM provider

  • Register a new provider using Actionable Messages (office.com), or use the Migrate to MSEntra button on your existing registration to create a copy.

  • Fill in the MsEntra Auth section with:

    • MsEntra Application ID

    • AppIdUri (auto-generated; must be allowlisted in your app as shown in the next section).

      A screenshot of the new provider form fields

  • Approval and onboarding of the AM registration remain unchanged.

Tip

Use this new registration to test the AAD token scenario end-to-end. Gradually move traffic to the new registration once validated.

Expose an API and pre-authorize the Actions app

  1. Select the Expose an API option from left navigation pane of the registered app

  2. Add URI under the Application ID URI option. Use the AppIdUri generated in the provider registration. Example format: api://auth-am-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    A screenshot of the 'Expose an API' form in the Entra admin portal

  3. Add the scope for this app under Add a scope section (e.g., Global.Test).

  4. Choose a value for Who can consent?.

    • Admins and users: Consent from either works.
    • Admins only (Recommended): Only admin approval works.

    Once the Admin has authorized, consent is for the whole tenant and won't be prompted again.

  5. Go to Add a client application and authorize Action app ID 48af08dc-f6d2-435f-b2a7-069abd99c086 to the scopes created above.

Validate the AAD token

Upon receiving the token in the request from Actions service, partners should perform validation. For details on validating tokens, see Access tokens in the Microsoft identity platform.

There are also code samples for Microsoft identity platform authentication and authorization for validation in your preferred language/framework.

Sample token

{
  "alg": "RS256",
  "kid": "27643737-6767-4678-9714-96485a53e23b",
  "typ": "JWT"
}.{
  "aud": "https://graph.microsoft.com/",
  "iss": "https://login.microsoftonline.com/1234567890",
  "iat": 1673495600,
  "nbf": 1673495600,
  "exp": 1673499200,
  "aio": "AWQAm/8TAAAAbIRXVv66AlGAbTpvmfbtyMHZVpuhGjjasLVHf73tIlZI6dtwBFJQFCXUTDLxNnopKxopumbIJAMd3LqIQ==",
  "azp": "1234567890-abcdefghijklmnopqrstuv",
  "amr": [
    "pwd"
  ],
  "family_name": "Doe",
  "given_name": "John",
  "groups": [
    "Admins",
    "Users"
  ],
  "preferred_username": "john.doe@contoso.com",
  "sub": "AUCeKGQXBnSqpWfTYEk0li8TyNul1QSuSxcPplBAwaQ",
  "tid": "1234567890",
  "uti": "yvEyycOza9zpyjmgkdDqA",
  "ver": "2.0"
}.[Signature]

Get approval from admins

For a Global scope actionable message registration to work in any tenant, the tenant admin must consent to the app hosting the target URL. Admins can grant consent using the Actionable Email Developer Dashboard page.

  1. Go to the Actionable Email Developer Dashboard and select the Consent 3P Apps button (top right).

    A screenshot of the Actionable Email Developer Dashboard showing the 'Consent 3P Apps' button

  2. The Admin Consent Dashboard will open, listing all 3P providers. Apps that need consent show an Approve button.

    AM Email Dashboard

  3. Select a provider row to review details.

  4. Select Approve to trigger the consent flow. Sign in and review the requested permissions.

  5. Ensure Consent on behalf of your organization is selected for tenant-wide consent.

  6. Select Accept to grant consent. The Microsoft Entra app is now authorized in your tenant. The browser redirects back to the dashboard where the app status is Approved.

    User permission screen

  7. If status remains Approving, use the Refresh button to update.

  8. Use the search bar to find a provider by Name, Provider ID, or Microsoft Entra ID.

    Search bar in AM portal

  9. To remove consent, open Azure Portal and select Enterprise Applications. Search for the app's service principal, and delete it in Properties.

    Azure portal screen

  • Last updated on