Share via

SharePoint online - Clarification on ACS Policy Expiry and Existing Client IDs

Monika V 90 Reputation points
2026-03-26T17:38:19.0433333+00:00

I understand that SharePoint ACS (Access Control Services) is being retired starting April 2. Currently, we are using SharePoint CSOM with username and password authentication (SharePointOnlineCredentials), and MFA is disabled for the account. Could you please confirm the following: Will CSOM authentication using SharePointOnlineCredentials continue to work after the ACS retirement?

Microsoft 365 and Office | SharePoint | Development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hani-Ng 9,345 Reputation points Microsoft External Staff Moderator
    2026-03-26T23:55:50.6433333+00:00

    Hi Monika V

    The ACS retirement does not affect SharePointOnlineCredentials. However, please see the important distinction and documentation below:

    While the ACS retirement won't stop it, the SharePointOnlineCredentials class relies on Legacy Authentication (Basic Auth). Microsoft is actively blocking Legacy Authentication across all tenants to improve security.

    If your tenant enables Security Defaults or Conditional Access policies, SharePointOnlineCredentials will stop working immediately because it cannot handle Multi-Factor Authentication (MFA) or Modern Auth challenges. Microsoft is progressively disabling Basic Auth for protocols across the ecosystem.

    Even though SharePointOnlineCredentials is not tied to the ACS date, it is considered an obsolete and insecure pattern.

    You should migrate this code to use Modern Authentication (OAuth 2.0) via Microsoft Entra ID.

    I hope this information helps.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Q&A Assist
    2026-03-26T17:38:31.0766667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure ACS for SharePoint Online will stop working for all tenants on April 2, 2026, regardless of any individual client secret or principal expiry dates.

    So for the existing client ID and secret:

    • It can continue to work only until April 2, 2026, provided the secret itself has not expired earlier.
    • After April 2, 2026, all Azure ACS-based principals (including those created via AppRegNew.aspx) will stop working even if their secrets are still valid.

    There is no option to extend Azure ACS usage for SharePoint Online beyond that date.

    Recommended approach going forward:

    1. Plan to migrate away from Azure ACS for SharePoint Online access.
    2. For app-only or unattended access, move to the Microsoft Entra ID application permissions model as the modern, supported approach: see Granting access via Entra ID App-Only.
    3. For SharePoint customization/extensibility, move from SharePoint Add-Ins to SharePoint Framework (SPFx), which is the primary replacement and not impacted by the ACS/Add-In retirement.
    4. After migration and once no business-critical ACS usage remains, tenant admins should turn off Azure ACS app-only access for the tenant as recommended in the retirement guidance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.