Starting March 2026, Microsoft Entra ID will no longer support SP-less authentication behavior.
Starting March 31, 2026, Microsoft Entra ID will no longer support service principal-less authentication behavior. This change aims to strengthen security in Microsoft Entra ID by ensuring that all applications active in a tenant have an associated service principal.
All applications making service principal-less authentication requests in a tenant will be impacted unless action is taken by March 31, 2026.
Learn more about required actions: Retire Service Principal-Less Authentication - Microsoft identity platform | Microsoft Learn
What happens to service principal-less authentication after March 31, 2026?
Microsoft Entra ID will block authentication for multi-tenant applications that are currently able to authenticate without an enterprise application registration in tenants. This behavior has already been blocked for most resources, but we’re now addressing a few remaining exceptions. This scenario is also known as service principal-less authentication and is a preventive security measure. Service principal-less authentication issues tokens without permissions and without an object identifier (object ID).
Why we’re making these changes
We’re deprecating service principal-less authentication behavior by making client service principal as a requirement for all applications to improve our “Security by default” (See authentication behaviors). Service principal-less authentication can be abused if the resource applications, such as APIs, perform incomplete validations. Microsoft has verified that validations are not vulnerable to service principal-less authentication. However, with this action, the risk of this gap re-appearing in future versions or being exploited in third party resources outside Microsoft’s control is minimized.
Additionally, by enforcing the requirement that applications must be registered in every tenant where they authenticate, we’re reinforcing tenant administrators’ governance of all access, including the ability to write Conditional Access policies for these applications.
Required action
Tenant administrators can verify access for applications, provision them, and check the tokens on their own. Tenant administrators should use sign-in logs to identify impacted applications by following the steps in the "Service principal-less authentication mitigation" document. They will also receive an email listing the named applications.
All ISVs are requested to notify customers about the deprecation and inform them to take proactive action.
You must act before March 31, 2026 to avoid authentication failure of applications.
If you identified traffic using service principal-less authentication between February 11th and March 11th, 2025, it will continue to work until March 2026. However, any traffic that wasn't detected during this period or any new traffic starting after March 11, 2025 will be blocked starting April 2025.
Shirling Xu
Product Manager, Core Authentication
Read more on this topic
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft
