Share via

ACS Retirement and SharePoint App Permissions‎ impact

LAHOUAZI Ferhat 20 Reputation points
2026-03-13T17:20:43.0133333+00:00

Dear all

We recently came across a Microsoft note mentioning the retirement of Azure Access Control Service (ACS) for SharePoint and referencing the following scenarios:

• Apps that were registered in SharePoint via AppRegNew.aspx (also known as SharePoint app-only service principals) and granted permissions in SharePoint via AppInv.aspx

• Apps that were registered in Azure (Entra ID) and granted permissions in SharePoint via AppInv.aspx

Based on this information, we understand that Microsoft plans to remove ACS-based authentication as well as the related pages appprincipals.aspx, AppRegNew.aspx and AppInv.aspx in SharePoint.

Could you please confirm whether this information is correct? We would also like clarification on the following points:

  1. Will the existing access for applications already configured and visible in /_layouts/15/appprincipals.aspx continue to work after this change?
  2. If so, does this mean that only new applications configured after early April will be blocked, while existing ones will remain functional?

Currently, in our environment: 

    • We are using App Registrations created manually in Entra ID 
    • These applications have Application permissions with Sites.Selected API permissions 
   • Permissions on SharePoint sites were granted using AppInv.aspx

Given this setup, will our applications be impacted by the ACS retirement?

If yes: • What is the supported method or workaround going forward to grant application permissions to specific SharePoint sites?

is theses command are still working and will not déprecated after 2 april : Grant-PnPAzureADAppSitePermission -Site "<PII removed> " -AppId "<PII remmoved>" -DisplayName "<PII removed>" -Permissions "Write"

New-MgSitePermission -SiteId $site.Id -BodyParameter $params

What confuses me is that when I run these two commands, the access granted through these PnP or MgGraph commands appears on the page: /_layouts/15/appprincipals.aspx.

Thank you in advance for your clarification.

Microsoft 365 and Office | SharePoint | Development
0 comments
Answer accepted by question author
  1. Teddie-D 13,285 Reputation points Microsoft External Staff Moderator
    2026-03-14T01:31:36.3+00:00

    Hi @LAHOUAZI Ferhat 

    Thank you for posting your question in the Microsoft Q&A forum. 

    Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data. 

    Microsoft has confirmed that Azure Access Control Service (ACS) for SharePoint Online will be fully retired on April 2, 2026, with no extension. After this date, any ACS‑based access will stop working.  

    ACS includes scenarios such as: 

    -Apps registered via AppRegNew.aspx 

    -Permissions granted via AppInv.aspx 

    -SharePoint Add-in / App-only model using client ID + secret issued by ACS 

    You mentioned:  

    -App created in Microsoft Entra ID > Supported 

    -Permission: Sites.Selected > Supported 

    -Site permissions granted using AppInv.aspx > Legacy method 

    This is a mixed configuration. Even if an application is registered in Microsoft Entra ID, site permissions granted through AppInv.aspx rely on the legacy SharePoint Add‑In / ACS permission model, which Microsoft has announced will stop working after April 2, 2026. 

    Microsoft’s only supported model going forward is: 

    -App Registration in Entra ID  

    -Application permissions with Sites.Selected (granular, site‑scoped) 

    -Grant site permission using:  

    • Microsoft Graph  
    • PnP PowerShell  

    -Certificate‑based authentication 

    The following commands are part of this modern, supported model and are not deprecated:

    • Grant-PnPAzureADAppSitePermission
    • New-MgSitePermission

    Although permissions granted using these methods may still appear on /_layouts/15/appprincipals.aspx, this page is not limited to ACS‑based apps. It serves as a visualization layer for all application principals with site permissions, including those granted via the modern Graph‑based authorization model. Therefore, seeing an application listed on appprincipals.aspx does not imply that ACS authentication is being used.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.