Starting March 2026, Microsoft Entra ID will no longer support SP-less authentication behavior.
Starting March 31, 2026, Microsoft Entra ID will no longer support service principal-less authentication behavior. This change aims to strengthen security in Microsoft Entra ID by ensuring that all applications active in a tenant have an associated service principal.
All applications making service principal-less authentication requests in a tenant will be impacted unless action is taken by March 31, 2026.
Learn more about required actions: Retire Service Principal-Less Authentication - Microsoft identity platform | Microsoft Learn
What’s changing in August 2025
In April 2025, we froze most resource apps accessed by service principal-less client apps where the client app home tenant and resource tenant matched. We allowed traffic if it was observed between February 11 and March 11, 2025, which will continue to work until March 2026. However, any traffic that was not identified during this period or new traffic after March 11 for these resource apps was blocked starting April 2025.
During the April 2025 freeze, we made significant progress in improving the security of app access. In August 2025, we plan to perform another freeze for client apps accessing three Microsoft resources (EXO, AAD Graph, and ARM) and six third-party resource apps. We will observe traffic between July 7 and July 21, 2025 to determine which apps to continue allowing until March 2026. Client apps that make more than one request per day on average will continue to work until April 2025 as noted in this blog. Client apps making fewer than one request per day on average will be notified during the week of July 21 and will have a month to register a service principal. If no action is taken, the app will be excluded from the list of apps allowed to continue working until the retirement date.
Timeline
- July 7-21, 2025: Traffic for July 2025 freeze is observed.
- July 21, 2025: Client apps with low-volume traffic will be identified and notified.
- August 22, 2025: Freeze enforcement begins. Client apps with high-volume traffic will be allowed to continue working until March 2026. Those with low-volume traffic will be blocked.
- March 31, 2026: All client apps without a service principal will be blocked, including the ones previously allowed to continue working.
What happens to service principal-less authentication after March 31, 2026?
Microsoft Entra ID will block authentication for multi-tenant applications that are currently able to authenticate without an enterprise application registration in tenants. This behavior has already been blocked for most resources, but we’re now addressing a few remaining exceptions. This scenario is also known as service principal-less authentication and is a preventive security measure. Service principal-less authentication issues tokens without permissions and without an object identifier (object ID).
Why we’re making these changes
We’re deprecating service principal-less authentication behavior by making client service principal as a requirement for all applications to improve our “Security by default” (See authentication behaviors). Service principal-less authentication can be abused if the resource applications, such as APIs, perform incomplete validations. Microsoft has verified that validations are not vulnerable to service principal-less authentication. However, with this action, the risk of this gap re-appearing in future versions or being exploited in third party resources outside Microsoft’s control is minimized.
Additionally, by enforcing the requirement that applications must be registered in every tenant where they authenticate, we’re reinforcing tenant administrators’ governance of all access, including the ability to write Conditional Access policies for these applications.
Required action
For the August 2025 freeze, tenant administrators with low-volume traffic that will not be allowed to continue working will receive email communication. They should register a service principal for application(s) identified before August 22, 2025.
Tenant administrators can identify impacted applications, register a service principal, and verify the changes they made on their own. Tenant administrators should use sign-in logs to identify impacted applications by following the steps in the "Service principal-less authentication mitigation" document. All ISVs are requested to notify customers about the retirement and inform them to take proactive action.
Tenant administrators must act before March 31, 2026 to avoid authentication failure of applications. Starting March 2026, all applications without a service principal will be blocked, including the ones previously allowed to continue working.
Shirling Xu
Product Manager, Core Authentication
Read more on this topic
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft
