Microsoft continues its long‑term modernization of Microsoft 365 by eliminating legacy authentication technologies and enforcing modern, identity‑driven security models. One of the most impactful changes for SharePoint developers and administrators is the retirement of Azure Access Control Service (ACS).
As of 2 April 2026, Microsoft has fully retired Azure ACS authentication for SharePoint Online. Any SharePoint application, automation, or integration still relying on ACS app‑only tokens is no longer supported and may stop functioning without warning.
This change is not a suggestion or future deprecation. It is a hard retirement with no extension option.
If your organization uses legacy SharePoint Add‑ins, background services, console applications, or automation scripts built on Azure ACS, this article explains:
- What Azure ACS was and how it worked
- Why Microsoft retired ACS
- What breaks after April 2026
- The modern replacement using Azure Active Directory (Microsoft Entra ID)
- How to migrate safely and correctly
- Official Microsoft documentation links for further guidance
Overview: Azure ACS Retirement at a Glance
Microsoft officially confirmed the Azure ACS retirement in multiple communications, including Microsoft Learn documentation and the Microsoft 365 Message Center.
Key Dates
1 November 2024
Azure ACS disabled by default for new tenants2 April 2026
Azure ACS fully retired for all tenants
Token issuance permanently stopped
Microsoft documentation clearly states there is no workaround, extension, or support path beyond this date.
Official Microsoft documentation:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs
What Was Azure ACS in SharePoint?
Azure Access Control Service Explained
Azure Access Control Service (ACS) was a legacy authentication service introduced in the early days of SharePoint Online. It enabled the SharePoint Add‑in (App‑Only) model, allowing applications to authenticate without a signed‑in user.
Using ACS, applications could authenticate by presenting a Client ID and Client Secret and receive an OAuth token for SharePoint Online.
What Azure ACS Enabled
Azure ACS allowed applications to:
- Access SharePoint Online without user sign‑in
- Run unattended background operations
- Execute scheduled jobs or automation tasks
- Read and write SharePoint data across site collections
Common Scenarios That Used ACS
Azure ACS was widely used in:
- Console applications
- Windows services
- PowerShell automation scripts
- Scheduled background jobs
- Legacy SharePoint provider‑hosted Add‑ins
If you ever used the following pages, your solution relied on ACS:
/_layouts/15/appregnew.aspx/_layouts/15/appinv.aspx
Why Azure ACS Is No Longer Supported
Although Azure ACS served SharePoint for more than a decade, it does not meet modern security or compliance standards.
Key Limitations of Azure ACS
1. Weak Security Model
- Client secrets stored in configuration files
- High risk of secret leakage
- No certificate enforcement
2. Tenant‑Wide Permissions Only
- No ability to limit access to specific sites
- Over‑permissioned applications across the entire tenant
3. No Conditional Access Support
- Cannot enforce MFA policies
- No Zero Trust alignment
4. Limited Auditing and Governance
- Minimal visibility into app activity
- Difficult to track or review access
Because of these risks, Microsoft retired ACS as an Azure service in 2018, but kept SharePoint‑specific ACS running temporarily. That extension officially ended in April 2026.
Microsoft confirmation:
https://mc.merill.net/message/MC693863
What Broke After 2 April 2026?
If your SharePoint application or automation relied on any of the following, it is affected:
https://accounts.accesscontrol.windows.net- Client ID and Client Secret authentication
- App‑only tokens issued by ACS
- Tenant‑wide permissions using
appinv.aspx
Impact After Retirement
After 2 April 2026:
- ACS tokens are no longer issued
- REST and CSOM calls fail
- Background jobs stop running
- Automation scripts silently break
- Third‑party integrations may fail unexpectedly
Microsoft explicitly states that no extension or workaround exists.
The Modern Replacement: Azure AD App‑Only Authentication
Microsoft requires all SharePoint app‑only access to migrate to Azure Active Directory (Microsoft Entra ID).
What Is Azure AD (Entra ID) App‑Only Model?
The Azure AD App‑Only model uses modern OAuth 2.0 client credentials to authenticate applications.
Key characteristics:
- App registration in Azure AD
- Certificate‑based authentication
- Fine‑grained permission control
- Microsoft Graph integration
Official documentation:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
High‑Level Migration Flow
Migrating from Azure ACS to Azure AD involves a clear sequence of steps.
Migration Steps
- Identify ACS‑based applications
- Register a new app in Azure AD
- Configure certificate‑based authentication
- Assign SharePoint or Graph permissions
- Grant admin consent
- Update application authentication logic
- Test and validate in non‑production
ACS vs Azure AD: Key Differences
| Area | Azure ACS (Retired) | Azure AD (Current) |
|---|---|---|
| Authentication | Client Secret | Certificate (X.509) |
| Security | Low | High |
| Permissions | Tenant wide | Tenant or site scoped |
| Conditional Access | Not supported | Fully supported |
| Microsoft Graph | Not supported | Fully integrated |
| Status | Retired | Actively supported |
Why Certificate‑Based Authentication Is Mandatory
Azure AD requires certificates for app‑only SharePoint access.
Why Microsoft Enforces Certificates
- Strong identity verification
- Protection against leaked secrets
- Rotatable and expirable credentials
- Enterprise compliance requirements
Certificates serve as proof of application identity and replace insecure static secrets.
Certificate guidance:
https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials
Two Ways to Register Azure AD Applications
Option 1: Automatic Registration (Recommended)
Using tools like PnP PowerShell, you can:
- Register the app automatically
- Generate certificates
- Upload keys
- Assign permissions
- Export
.PFXand.CERfiles
Best suited for:
- Faster setup
- Automation‑driven environments
- Reduced manual errors
PnP PowerShell documentation:
https://pnp.github.io/powershell/articles/authentication.html
Option 2: Manual Registration
Using the Azure Portal, administrators can:
- Create app registrations
- Upload certificates manually
- Assign Graph or SharePoint permissions
- Grant admin consent
Best suited for:
- Enterprise security reviews
- High‑compliance environments
- Manual control and approvals
Azure Portal app registration guide:
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
SharePoint Permissions: What You Actually Need
Microsoft Graph Permissions (Preferred)
Sites.Read.AllSites.ReadWrite.AllSites.Selected
SharePoint API Permissions
Sites.Read.AllSites.ReadWrite.AllSites.FullControl.All
Best Practice: Least Privilege
Microsoft strongly recommends using Sites.Selected wherever possible to limit access to only approved site collections.
Sites.Selected documentation:
https://learn.microsoft.com/en-us/graph/permissions-reference#sites-permissions
Consuming SharePoint with Azure AD App‑Only Access
Once migrated:
- Authentication uses certificate thumbprint
- Tokens are issued by Azure AD
- SharePoint access happens via Graph or REST
- Existing CSOM logic remains mostly unchanged
The primary change is how authentication is performed, not how SharePoint data is accessed.
Why This Migration Is Mandatory
From April 2026 onward:
- ACS‑based apps cannot authenticate
- Microsoft Support will not assist with ACS issues
- Security audits will flag legacy authentication
- Automation failures may cause business impact
This is not a technology upgrade. It is a platform survival requirement.
Recommended Next Steps
- Audit existing SharePoint applications
- Identify ACS usage
- Plan migration timelines
- Replace secrets with certificates
- Prefer Microsoft Graph over legacy APIs
- Test in staging environments
- Communicate changes to stakeholders
Official Microsoft Resources
Azure ACS retirement announcement
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acsAzure AD app‑only access to SharePoint
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureadMicrosoft 365 Message Center notice
https://mc.merill.net/message/MC693863App registration overview
https://learn.microsoft.com/en-us/entra/identity-platform/app-registration
Final Thoughts
Azure Access Control Service is officially history. Microsoft Entra ID app‑only authentication is the present and the future of SharePoint automation.
Organizations that migrate early benefit from:
- Improved security posture
- Better governance
- Modern integration capabilities
- Long‑term Microsoft support
If your SharePoint solutions still depend on ACS, the window to act may already be closing. The safest course is to migrate now and remove all legacy authentication dependencies.
![How to Add Beautiful Code Snippets in Blogger [ like VS Code ]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdKp8Ze0SuI5d6YDN7_hYH-40cXVuhYxuUjucAPEQoTkeXtF-7c7oDmiBWKioSnBGV2gfhW9SrBOY1uEad4MDNnj-ssaEzRf7lE680d0l0OZKR2wAGKxmdVSA6p14xiCDRHFbiaigMJIV7R3jBNWDGn3zCl_rE04xuFrGur2bgPtWXbxI/w72-h72-p-k-no-nu/image.png)
0 Comments
Thanks!