Blog Post

Microsoft SharePoint Blog
3 MIN READ

Azure ACS retirement in Microsoft 365

BertJansen's avatar
BertJansen
Icon for Microsoft rankMicrosoft
Nov 27, 2023

 

Microsoft strives to deliver utmost value to our customers through modern, optimized, secure solutions in this newly evolved world focused on digital transformation. As part of this evolution of Microsoft 365 solutions we will be retiring the use of Azure ACS (Access Control Services) for SharePoint Online auth needs and believe Microsoft 365 customers will be better served by modern auth offered via Microsoft Entra ID.

 

 

Azure ACS will stop working for new tenants as of November 1st, 2024 and it will stop working for existing tenants and will be fully retired as of April 2nd, 2026. This applies to all environments including Government Clouds and Department of Defense.

 

If you are using custom developed applications or are using SharePoint provider hosted Add-Ins, we recommend switching those applications to use Microsoft Entra ID for authorization and authentication needs. Aligned with the Azure ACS retirement also SharePoint Add-Ins are retired, check out this support article for more information. There will not be an option to extend using Azure ACS with SharePoint Online beyond April 2nd, 2026.

 

To learn more about how to migrate Azure ACS usage for SharePoint Online and how to migrate SharePoint Add-Ins to alternative solutions check out these articles and accompanying videos.

 

Overview

 

Azure ACS usage in SharePoint Online


Azure ACS is used in SharePoint Online for providing auth for provider hosted SharePoint Add-Ins plus it’s used to grant applications access to SharePoint Online, optionally using application permissions and granular scopes.

 

To learn more about the provider hosted Add-In use case please check out the respective retirement articles, granting applications access to SharePoint Online will need to be transitioned to Microsoft Entra ID.

 

Azure ACS usage by SharePoint Server


SharePoint Server running on-premises can, if configured by the farm admins, depend on Azure ACS for hybrid scenarios (e.g. hybrid search) and low trust auth for custom applications. The retirement of Azure ACS however is not impacting any of the SharePoint on-premises use cases and no action is required from SharePoint on-premises farm admins.

 

Azure ACS usage by Project Online


Project Online is an extension on top of SharePoint Online and Project Online custom developments could also have used Azure ACS. The retirement of Azure ACS applies to Project Online as well, any Azure ACS usage in Project Online will follow the same retirement path as Azure ACS usage in SharePoint Online.

 

Call to Action Guidance

 

Microsoft 365 Assessment tool


To understand if your organization is using Azure ACS or begin planning transition to Microsoft Entra ID, we recommend that customers run the Microsoft 365 Assessment tool to scan their tenants for Azure ACS usage. Using the Power BI Azure ACS Report generated by the scanner tool, you can:


• Identify all used Azure ACS application principals with their key properties such as permission scopes and whether app-only was allowed or not
• For each identified Azure ACS application principal see a list of all sites that can be accessed via the Azure ACS application principal

 

Using the Azure ACS Report along with site information, tenant administrators together with developers can plan the transition of Azure ACS to Microsoft Entra ID as authentication model.

 

Turn off the use of Azure ACS on your tenant


We recommend tenant admins to turn off the usage of Azure ACS app-only access once they’ve ensured there is no business relevant Azure ACS usage anymore. The assessment tool should give administrators the usage information to understand where and when Azure ACS principals are being used.

 

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
Set-SPOTenant -DisableCustomAppAuthentication $true

 

This setting will not impact the Azure ACS usage by SharePoint provider hosted Add-Ins. You can use the same command to re-enable the usage Azure ACS app-only access if required.

 

How do I get help?


You can use the following services and partner programs to help with your migration from SharePoint Azure ACS:


Microsoft Solution Provider
• Help on SharePoint Assessment tool: Open a support ticket

 

More information


Friendly link to the blog post: https://aka.ms/retirement/acs/update

Friendly link to this article: https://aka.ms/retirement/acs/support

Friendly link to the Frequently Asked Questions: https://aka.ms/retirement/acs/faq 

Friendly link to SharePoint Add-In retirement article: https://aka.ms/retirement/addins/support

Friendly link to Migration Guidance: https://aka.ms/retirement/acs/guidance

 

A Message Center post in the Microsoft 365 admin center is being sent to all tenants, and the post will be updated periodically with timelines.

Updated Dec 09, 2023
Version 2.0
  • lightupdifire : no using appinv.aspx and appregnew.aspx will go away, you'll have to create the app via Entra and also permission the app using Entra.

  • lightupdifire's avatar
    lightupdifire
    Brass Contributor

    Hello,

    Just to confirm, as understood, we won't be able to create a new SharePoint Online App-Only API.

     

    But the Permission grant, this section will still work?

    So, can we register the Entra ID API, and then add it to "_layouts/15/appinv.aspx"?

  • fabian84's avatar
    fabian84
    Copper Contributor

    Hi BertJansen ,
    I am assuming the endpoint '/_layouts/15/AppRedirect.aspx' will also be removed / is part of the deprecation?

    Is there somewhere a technical list of endpoints / details which which are deprecation?

     

    The following is just a some detail questions to easier check my applications for ACS usage or artefacts:

     

    1. Any JWT issued with "iss" (issuer) claim starts with `00000001-0000-0000-c000-000000000000@` is will be deprecated?

    2. Any code which contains handling of Form parameters `SPAppToken`, `SPSiteUrl`, `SPRedirectMessage` and so on is likely SharePoint ACS authentication code?

     

    Thanks