Share via

SharePoint online - Clarification on ACS Policy Expiry and Existing Client IDs

Monika V 90 Reputation points
2026-03-25T16:57:37.8266667+00:00

Hi Team,

I understand that the ACS policy is going to expire on April 2.

I have a question regarding existing configurations. We currently have a client ID whose client secret is valid until January next year.

With the ACS deprecation, will this existing client ID continue to work until its expiry, or will it stop working after April 2 regardless of its validity?

Could you please confirm the impact and recommended approach going forward?

Microsoft 365 and Office | SharePoint | Development
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-03-25T16:57:52.3266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure ACS for SharePoint Online will stop working for all tenants on April 2, 2026, regardless of any individual client secret or app principal expiry dates.

    So in the scenario described:

    • The existing ACS-based client ID and its client secret will not continue to work beyond April 2, 2026, even if the secret itself is valid until January 2027 or later.
    • ACS principals also have their own default lifetime (2 years), but that does not override the global retirement date. After April 2, 2026, ACS-based auth to SharePoint Online is no longer available.

    Impact:

    • Any SharePoint Online solution (including provider-hosted SharePoint Add-Ins and ACS app-only principals) that relies on Azure ACS will fail to authenticate after April 2, 2026.
    • SharePoint Add-Ins in SharePoint Online are also fully retired on April 2, 2026; they cannot be installed or used after that date.

    Recommended approach going forward:

    1. Plan to replace ACS-based auth now
      • Migrate from Azure ACS app-only or SharePoint Add-In auth to Microsoft Entra ID application permissions for accessing SharePoint Online.
      • For app-only access, use the Entra ID app-only model described in the modern guidance instead of ACS app-only.
    2. Modernize SharePoint Add-Ins
      • If using SharePoint Add-Ins (especially provider-hosted), plan to modernize to SharePoint Framework (SPFx) or other supported patterns before April 2, 2026.
    3. Optionally disable ACS earlier
      • As a best practice, once all business-critical ACS usage is migrated, tenant admins can disable Azure ACS app-only access for the tenant so no remaining ACS principals can be used.
    4. Short-term maintenance only if absolutely needed
      • If ACS must still be used during the transition period, client secrets can still be renewed following the documented process, but this should be treated as temporary and only until the global retirement date.

    References:

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monika V 90 Reputation points
    2026-03-26T17:28:54.6333333+00:00

    Hi Team,

    I understand that SharePoint ACS (Access Control Services) is being retired starting April 2.

    Currently, we are using SharePoint CSOM with username and password authentication (SharePointOnlineCredentials), and MFA is disabled for the account.

    Could you please confirm

    1. Will CSOM authentication using SharePointOnlineCredentials continue to work after the ACS retirement?

  2. Teddie-D 13,285 Reputation points Microsoft External Staff Moderator
    2026-03-25T23:41:57.3833333+00:00

    Hi @Monika V 

    Azure ACS–based authentication for SharePoint Online will be fully retired on April 2, 2026. After this date, any ACS-based client IDs will stop working, even if their client secrets are valid beyond that point.  

    This retirement impacts all solutions that rely on ACS, including:  

    -App-only principals created via appregnew.aspx / appinv.aspx  

    -Provider-hosted SharePoint Add-ins  

    -ACS-based CSOM or REST access  

    After April 2, 2026, ACS authentication will no longer function, and there will be no option to extend ACS usage in SharePoint Online. 

    To avoid service disruption, you should migrate your solutions to Microsoft Entra ID–based authentication as soon as possible. Please review the guidance for migrating from Azure ACS to Microsoft Entra ID

    For more details, please refer to the official announcement in the Microsoft 365 admin center Message Center, if you have access: MC693863 

    I hope this information is helpful. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.