Microsoft Retires Legacy SharePoint Add-in Model and Azure ACS Authentication

Three enterprise SharePoint products went dark simultaneously when Microsoft pulled the plug on Azure Access Control Service authentication on April 2, 2026, capping a 13-year run for a token-based authorization model that has quietly underpinned thousands of corporate intranets, HR portals, and procurement workflows since its SharePoint debut in 2013.

SharePoint Sapiens confirmed that all customers still running the legacy add-in version of its Event Management, Employee Training Management, and Calendar Email Extension products experienced immediate outages the moment Microsoft disabled ACS. Administrators saw the platform's signature failure mode: a broken backend settings page and an error reading "The SharePoint Sapiens app is unable to send emails," both signaling that the app was still bound to now-dead add-in authentication. For those organizations, access failures were instant and irreversible under the old model.

The retirement covered more ground than many IT teams anticipated. April 2 was not only the end of ACS token issuance but also the full retirement of the SharePoint Add-in model itself, meaning that even provider-hosted add-ins that had successfully migrated to Microsoft Entra ID authentication could no longer operate via the Add-in framework after that date. Microsoft had formally deprecated the Add-in model in SharePoint Online on November 27, 2023, and issued separate Message Center notices for the ACS retirement (MC693863) and the Add-in framework retirement (MC693865), giving organizations just over two years to act. New tenants were blocked from using ACS starting November 1, 2024, a signal that Microsoft intended the April 2 cutoff to be absolute. Microsoft Q&A community posts confirmed there would be no reprieve: "There is no option to extend Azure ACS usage for SharePoint Online beyond that date," even for ACS principals whose secrets had not yet technically expired.

The security calculus behind Microsoft's decision is stark. Microsoft reported that over 97% of credential-stuffing attacks exploit legacy authentication, and over 99% of password-spray attacks do as well, making the elimination of ACS and its contemporaries a core plank of the company's cloud security posture rather than a routine deprecation.

SharePoint 2013 workflows carried their own silent dependency on ACS and ceased functioning after April 2. Microsoft's designated migration path for those workflows is Power Automate. For the broader Add-in model, the official replacement is SharePoint Framework (SPFx), which continues to be fully supported and was the target platform Microsoft had been pointing vendors toward for years.

Vendors that treated the two-year deprecation window as an actual deadline reported clean outcomes. Virto Software confirmed its products were unaffected. Beyond Intranet had already moved its Employee Directory Software to SPFx ahead of the cutoff. Zensai, the company behind Learn365, completed its Entra ID migration as of version 3.53, released October 14, 2024, ensuring all customers transitioned well before the hard stop.

The remediation path for organizations still scrambling runs through the Microsoft 365 Assessment tool and Power BI reports to locate surviving ACS app registrations, followed by re-registration using certificate-based or Entra ID-based authentication. SharePoint on-premises deployments are outside the retirement scope and continue to run through a local app catalog, though acquiring new add-ins from the public SharePoint Store has also been discontinued.

April 2 does not close the authentication modernization chapter at Microsoft. The IDCRL (Identity Client Runtime Library) protocol faces its own retirement for SharePoint Online and OneDrive for Business on May 1, 2026, with default blocking already underway since February 16, 2026, under Message Center notice MC1184649. Organizations that treated the ACS deadline as their only migration milestone now face a second countdown with less than a month remaining.