Azure ACS retirement. How to prepare your tenant. Guide for SharePoint Admins.

Leave a reply

Since Microsoft announced EOL of ACS in 2026, we as SharePoint administrators must be prepared, as it is a really big deal – entire era of SharePoint app-only service principals will gone. SharePoint developers used this kind of authentication since 2013 to build their solutions. And when it comes to software development – it always takes time. Imaging all the code that was designed since 2013 needs to be reviewed and re-written to adopt changes. So it is critical that we should take measures now to avoid huge problems in April 2026.

Recommended transition tactics

For developers

  • Prioritizing using Microsoft Graph API.
  • In cases Graph API does not provide required functionality – it’s ok to use SharePoint API, but please ensure certificate is used (not secret).

For SharePoint admins

High-level recommended steps are:

  • Encourage users registering applications in Azure (not in SharePoint)
  • Disable ability for site owners register service principals in SharePoint via appregnew.aspx
    Your users will start seeing “Your SharePoint tenant admin doesn’t allow site collection admins…” message (see details), but that’s ok.
  • Create a process so users can request permissions to SharePoint sites for their Azure-Registered Apps. Provide Sites.Selected permissions by default. Consider automation.
    In rare cases when 3-rd party apps require legacy ACS-based permissions, it would be you (SharePoint service admin) who will provide ACS-based access to sites.
    Track this activity (so you know for whom this ACS-based permissions were provided).
    Inform every developer that ACS will be gone.
  • Keep audit logs
    Starting today and until it’s over you’d get audit logs from Microsoft 365 purview center – consider selecting all events anyone visited appinv.aspx page.
  • In March-April 2025 (1 year before) ACS EOL, start notifying developers who use ACS.
    You can get list of developers combining
    – audit log data
    – report from Entra Id on apps owners
  • In advance ( let say, starting September 2025) you can try to temporary switch off ACS (“scream test”).

Detailed steps:

Encourage users registering applications in Azure (not in SharePoint)

Pro’s for App Registered in Entra Id (vs SharePoint Apps-only service principals – apps registered in SharePoint with AppRegNew.aspx) :

  • Support authentication with client secret and/or certificate, custom expiration time
  • Support both – classic SharePoint REST API and CSOM and Microsoft Graph API

Disable registering service principals in SharePoint

Disable ability for site owners register service principals in SharePoint via appregnew.aspx with Set-SPOTenant PowerShell cmdlet

Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $false
When the value is set to false, the service principal can only be created or updated by the SharePoint tenant admin. Your users will start seeing “Your SharePoint tenant admin doesn’t allow site collection admins…” message (see details), but that’s ok.

tbc

References

Leave a Reply

Your email address will not be published. Required fields are marked *