SharePoint ACS Retirement – Guidance Needed for Migration to Azure AD / Graph or Better if Available

1. Will existing ACS‑based integrations stop working after April 2026?

Yes.

App‑Only authentication using Azure Access Control Services (ACS) will be fully retired. This includes integrations that were registered via:

• /layouts/15/appregnew.aspx
• /layouts/15/appinv.aspx
• AllowAppOnlyPolicy="true"
• Token endpoint: https://accounts.accesscontrol.windows.net/{tenant-id}/tokens/OAuth/2

After retirement:

• Existing ACS App‑Only integrations will stop working
• Access tokens can no longer be issued
• AppInv.aspx trust model becomes unusable
• Runtime calls to SharePoint REST API will fail with HTTP 401 Unauthorized

This affects both new and existing implementations.

2. Recommended Modern Approach

You do NOT need to migrate to Microsoft Graph API if your current integration already uses SharePoint REST endpoints.

Microsoft supports the following modern authentication pattern:

• Azure AD App Registration
• OAuth 2.0 Client Credentials Flow
• SharePoint REST API

This allows you to continue using existing endpoints such as:

https://<org>.sharepoint.com/sites/<site>/_api/web/...

A migration to Microsoft Graph is optional and only recommended if:

• Cross‑workload integration is required
• No SharePoint‑specific functionality is needed
• Graph API coverage is sufficient for the scenario

For document upload / download scenarios in Business Central, continuing with SharePoint REST is typically the most appropriate option.

3. Can existing SharePoint REST API endpoints still be used?

Yes.

After switching to Azure AD authentication, existing REST API calls such as:

• File Upload
• File Download
• Folder Access
• Metadata Handling

can continue to use the existing:

_api/web/...

endpoints without functional changes.

Only the authentication mechanism changes.

4. Restricting Access to a Single SharePoint Site

In the ACS model, permissions were often granted tenant‑wide, for example:

Scope = http://sharepoint/content/sitecollection/tenant
Right = FullControl

With Azure AD App‑Only authentication, access can be restricted using the Microsoft Graph application permission:

Sites.Selected

Benefits:

• The application has no SharePoint access by default
• Access can be granted to specific site collections only
• No tenant‑wide FullControl permission is required

After assigning the Sites.Selected permission to the Azure AD application and granting admin consent, site‑specific access must be assigned once using Microsoft Graph.

Reference:

https://learn.microsoft.com/graph/api/site-post-permissionsGrant application access to specific SharePoint sites

5. Token Generation Using Azure AD

Instead of requesting tokens from:

https://accounts.accesscontrol.windows.net

Business Central must now request tokens from:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

Using:

• Grant Type: client_credentials
• Client ID
• Client Secret
• Scope: https://<tenant>.sharepoint.com/.default

Important:

When calling SharePoint REST API endpoints, the token scope must be:

https://<tenant>.sharepoint.com/.default

Using Microsoft Graph scope instead will result in an “Invalid audience” error when calling SharePoint REST APIs.

6. Migration Summary

7. Official Microsoft Documentation

• https://learn.microsoft.com/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs Azure ACS Retirement Announcement
• https://learn.microsoft.com/sharepoint/dev/solution-guidance/security-apponly-azuread SharePoint App‑Only Authentication with Azure AD
• https://learn.microsoft.com/graph/permissions-reference#sitesselected Microsoft Graph Permission – Sites.Selected
• https://learn.microsoft.com/graph/api/site-post-permissions Grant Application Access to a SharePoint Site

Architectural Recommendation for Business Central

• Azure AD App Registration
• Sites.Selected Permission
• OAuth 2.0 Client Credentials Flow
• Continue using SharePoint REST API

This approach is fully supported and requires minimal change to existing AL‑based upload / download logic beyond the authentication layer.