remove legacy reccomendation (#5102)

mattgeim · web-flow · commit d64d564da856 · 2025-03-31T19:13:40.000-07:00
* Update authenticate-a-user-with-an-sso-token.md

update to remove legacy token recommendation

* Update authenticate-a-user-with-an-sso-token.md

* Update authenticate-a-user-with-an-sso-token.md
diff --git a/docs/outlook/authenticate-a-user-with-an-sso-token.md b/docs/outlook/authenticate-a-user-with-an-sso-token.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
 ---
 
 # Authenticate a user with a single-sign-on token in an Outlook add-in
+[!INCLUDE [legacy-exchange-token-deprecation](../includes/legacy-exchange-token-deprecation.md)]
 
 Single sign-on (SSO) provides a seamless way for your add-in to authenticate users (and optionally to obtain access tokens to call the [Microsoft Graph API](/graph/overview)).
 
@@ -51,9 +52,6 @@ The add-in gets an SSO token with client-side script. For more information, see
 
 In most scenarios, there would be little point to obtaining the access token, if your add-in does not pass it on to a server-side and use it there. For details on what your server-side could and should do, see [Add server-side code](../develop/sso-in-office-add-ins.md#pass-the-access-token-to-server-side-code).
 
-> [!IMPORTANT]
-> When using the SSO token as an identity in an *Outlook* add-in, we recommend that you also [use the Exchange identity token](authenticate-a-user-with-an-identity-token.md) as an alternate identity. Users of your add-in may use multiple clients, and some may not support providing an SSO token. By using the Exchange identity token as an alternate, you can avoid having to prompt these users for credentials multiple times. For more information, see [Scenario: Implement single sign-on to your service in an Outlook add-in](implement-sso-in-outlook-add-in.md).
-
 ## SSO for event-based activation or integrated spam reporting
 
 There are additional steps to take if your add-in uses event-based activation or integrated spam reporting (preview). For more information, see [Use single sign-on (SSO) or cross-origin resource sharing (CORS) in your event-based or spam-reporting Outlook add-in](use-sso-in-event-based-activation.md).
