Forum Discussion
SharePoint ACS Retirement – Guidance Needed for Migration to Azure AD / Graph or Better if Available
1. Will existing ACS‑based integrations stop working after April 2026?
Yes.
App‑Only authentication using Azure Access Control Services (ACS) will be fully retired. This includes integrations that were registered via:
- /layouts/15/appregnew.aspx
- /layouts/15/appinv.aspx
- AllowAppOnlyPolicy="true"
- Token endpoint: https://accounts.accesscontrol.windows.net/{tenant-id}/tokens/OAuth/2
After retirement:
- Existing ACS App‑Only integrations will stop working
- Access tokens can no longer be issued
- AppInv.aspx trust model becomes unusable
- Runtime calls to SharePoint REST API will fail with HTTP 401 Unauthorized
This affects both new and existing implementations.
2. Recommended Modern Approach
You do NOT need to migrate to Microsoft Graph API if your current integration already uses SharePoint REST endpoints.
Microsoft supports the following modern authentication pattern:
- Azure AD App Registration
- OAuth 2.0 Client Credentials Flow
- SharePoint REST API
This allows you to continue using existing endpoints such as:
https://<org>.sharepoint.com/sites/<site>/_api/web/...
A migration to Microsoft Graph is optional and only recommended if:
- Cross‑workload integration is required
- No SharePoint‑specific functionality is needed
- Graph API coverage is sufficient for the scenario
For document upload / download scenarios in Business Central, continuing with SharePoint REST is typically the most appropriate option.
3. Can existing SharePoint REST API endpoints still be used?
Yes.
After switching to Azure AD authentication, existing REST API calls such as:
- File Upload
- File Download
- Folder Access
- Metadata Handling
can continue to use the existing:
_api/web/...
endpoints without functional changes.
Only the authentication mechanism changes.
4. Restricting Access to a Single SharePoint Site
In the ACS model, permissions were often granted tenant‑wide, for example:
Scope = http://sharepoint/content/sitecollection/tenant
Right = FullControlWith Azure AD App‑Only authentication, access can be restricted using the Microsoft Graph application permission:
Sites.Selected
Benefits:
- The application has no SharePoint access by default
- Access can be granted to specific site collections only
- No tenant‑wide FullControl permission is required
After assigning the Sites.Selected permission to the Azure AD application and granting admin consent, site‑specific access must be assigned once using Microsoft Graph.
Reference:
https://learn.microsoft.com/graph/api/site-post-permissionsGrant application access to specific SharePoint sites
5. Token Generation Using Azure AD
Instead of requesting tokens from:
https://accounts.accesscontrol.windows.net
Business Central must now request tokens from:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Using:
- Grant Type: client_credentials
- Client ID
- Client Secret
- Scope: https://<tenant>.sharepoint.com/.default
Important:
When calling SharePoint REST API endpoints, the token scope must be:
https://<tenant>.sharepoint.com/.default
Using Microsoft Graph scope instead will result in an “Invalid audience” error when calling SharePoint REST APIs.
6. Migration Summary
Current ACS Model Future Azure AD Model AppRegNew.aspx Azure AD App Registration AppInv.aspx Sites.Selected Permission ACS OAuth Azure AD OAuth 2.0 accounts.accesscontrol.windows.net login.microsoftonline.com Tenant FullControl Site‑Scoped Access SharePoint REST API SharePoint REST API 7. Official Microsoft Documentation
- https://learn.microsoft.com/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs Azure ACS Retirement Announcement
- https://learn.microsoft.com/sharepoint/dev/solution-guidance/security-apponly-azuread SharePoint App‑Only Authentication with Azure AD
- https://learn.microsoft.com/graph/permissions-reference#sitesselected Microsoft Graph Permission – Sites.Selected
- https://learn.microsoft.com/graph/api/site-post-permissions Grant Application Access to a SharePoint Site
Architectural Recommendation for Business Central
- Azure AD App Registration
- Sites.Selected Permission
- OAuth 2.0 Client Credentials Flow
- Continue using SharePoint REST API
This approach is fully supported and requires minimal change to existing AL‑based upload / download logic beyond the authentication layer.
Microsoft1. Will existing ACS‑based integrations stop working after April 2026?
Yes.
App‑Only authentication using Azure Access Control Services (ACS) will be fully retired. This includes integrations that were registered via:
- /layouts/15/appregnew.aspx
- /layouts/15/appinv.aspx
- AllowAppOnlyPolicy="true"
- Token endpoint: https://accounts.accesscontrol.windows.net/{tenant-id}/tokens/OAuth/2
After retirement:
- Existing ACS App‑Only integrations will stop working
- Access tokens can no longer be issued
- AppInv.aspx trust model becomes unusable
- Runtime calls to SharePoint REST API will fail with HTTP 401 Unauthorized
This affects both new and existing implementations.
2. Recommended Modern Approach
You do NOT need to migrate to Microsoft Graph API if your current integration already uses SharePoint REST endpoints.
Microsoft supports the following modern authentication pattern:
- Azure AD App Registration
- OAuth 2.0 Client Credentials Flow
- SharePoint REST API
This allows you to continue using existing endpoints such as:
https://<org>.sharepoint.com/sites/<site>/_api/web/...
A migration to Microsoft Graph is optional and only recommended if:
- Cross‑workload integration is required
- No SharePoint‑specific functionality is needed
- Graph API coverage is sufficient for the scenario
For document upload / download scenarios in Business Central, continuing with SharePoint REST is typically the most appropriate option.
3. Can existing SharePoint REST API endpoints still be used?
Yes.
After switching to Azure AD authentication, existing REST API calls such as:
- File Upload
- File Download
- Folder Access
- Metadata Handling
can continue to use the existing:
_api/web/...
endpoints without functional changes.
Only the authentication mechanism changes.
4. Restricting Access to a Single SharePoint Site
In the ACS model, permissions were often granted tenant‑wide, for example:
Scope = http://sharepoint/content/sitecollection/tenant
Right = FullControl
With Azure AD App‑Only authentication, access can be restricted using the Microsoft Graph application permission:
Sites.Selected
Benefits:
- The application has no SharePoint access by default
- Access can be granted to specific site collections only
- No tenant‑wide FullControl permission is required
After assigning the Sites.Selected permission to the Azure AD application and granting admin consent, site‑specific access must be assigned once using Microsoft Graph.
Reference:
https://learn.microsoft.com/graph/api/site-post-permissionsGrant application access to specific SharePoint sites
5. Token Generation Using Azure AD
Instead of requesting tokens from:
https://accounts.accesscontrol.windows.net
Business Central must now request tokens from:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Using:
- Grant Type: client_credentials
- Client ID
- Client Secret
- Scope: https://<tenant>.sharepoint.com/.default
Important:
When calling SharePoint REST API endpoints, the token scope must be:
https://<tenant>.sharepoint.com/.default
Using Microsoft Graph scope instead will result in an “Invalid audience” error when calling SharePoint REST APIs.
6. Migration Summary
| Current ACS Model | Future Azure AD Model |
|---|---|
| AppRegNew.aspx | Azure AD App Registration |
| AppInv.aspx | Sites.Selected Permission |
| ACS OAuth | Azure AD OAuth 2.0 |
| accounts.accesscontrol.windows.net | login.microsoftonline.com |
| Tenant FullControl | Site‑Scoped Access |
| SharePoint REST API | SharePoint REST API |
7. Official Microsoft Documentation
- https://learn.microsoft.com/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs Azure ACS Retirement Announcement
- https://learn.microsoft.com/sharepoint/dev/solution-guidance/security-apponly-azuread SharePoint App‑Only Authentication with Azure AD
- https://learn.microsoft.com/graph/permissions-reference#sitesselected Microsoft Graph Permission – Sites.Selected
- https://learn.microsoft.com/graph/api/site-post-permissions Grant Application Access to a SharePoint Site
Architectural Recommendation for Business Central
- Azure AD App Registration
- Sites.Selected Permission
- OAuth 2.0 Client Credentials Flow
- Continue using SharePoint REST API
This approach is fully supported and requires minimal change to existing AL‑based upload / download logic beyond the authentication layer.
thanks that's a big help .