SharePoint Add-in Authentication and Retirement Options — when and how should I migrate?
Decide whether to migrate surviving external SharePoint Online integration patterns to Microsoft Entra ID or retire and rebuild solutions that depended on the now-retired SharePoint Add-in model, now that Azure ACS stopped working for existing tenants on April 2, 2026.
Blockers
- capability/azure-acs-authentication — EOL 2026-04-02
- capability/sharepoint-add-in-model — EOL 2026-04-02
- Microsoft describes Entra ID applications as the supported replacement for ACS auth patterns.
- Remote event receivers registered with ACS stop working after April 2, 2026.
- Microsoft recommends SharePoint Online webhooks instead of remote event receivers.
Who this is for
- enterprise
- compliance
Candidates
Modernize surviving external integrations to Microsoft Entra ID app registrations
As of 2026-04-09, Azure ACS for SharePoint Online has already stopped working for existing tenants, with no extension beyond April 2, 2026. For unattended or provider-hosted code paths that still need SharePoint Online API access outside the retired add-in model, the supported replacement is a Microsoft Entra ID application using Microsoft Graph or SharePoint application permissions. Microsoft describes this as a manual migration, typically using certificate-based auth and admin-consented permissions. Official docs do not state a specific incremental price; check licensing separately.
When to choose
Use this when the business capability still matters after 2026 and the code can live outside the retired SharePoint Add-in model. It is the right choice for background jobs, service integrations, provider-hosted code, or API access patterns where replacing ACS auth with Entra ID preserves the outcome without preserving legacy add-in packaging.
Tradeoffs
Keeps supported app-only access to SharePoint Online and can reduce blast radius by moving from tenant-wide ACS grants to Graph or SharePoint permissions such as Sites.Selected. The tradeoff is real engineering work: new app registration, permission redesign, certificate handling, admin consent, and code changes to token acquisition and API calls.
Cautions
Do not assume an Entra app plus AppInv.aspx is enough. Microsoft says SharePoint Add-Ins are also fully retired as of April 2, 2026, so modernizing auth alone does not preserve retired add-in packaging, app catalog deployment, or classic add-in UX. Microsoft also says there is no conversion tool, and recommends Graph as first choice where possible.
Retire or rebuild SharePoint Add-ins to supported models such as SPFx, webhooks, and Power Automate
As of 2026-04-09, the SharePoint Add-In model in SharePoint Online is already fully retired as of April 2, 2026. Microsoft names SharePoint Framework as the primary replacement for SharePoint extensibility, recommends SharePoint Online webhooks instead of remote event receivers, and recommends Power Automate instead of SharePoint Workflow apps. This is a product and architecture decision, not an auth-only migration. Microsoft’s retirement and FAQ docs do not publish a migration price; check licensing separately.
When to choose
Use this when the current solution depends on classic SharePoint Add-in packaging, app parts, remote event receivers, app webs, or marketplace/app catalog deployment behavior. It is the decisive option when the legacy capability is mostly UI extensibility or workflow logic rather than just API access.
Tradeoffs
This removes a retired platform dependency and aligns with Microsoft’s supported roadmap. The downside is broader rewrite scope, including UI replacement, data migration out of app webs, workflow redesign, and possible changes to operating model or user experience.
Cautions
Merely changing ACS authentication to Entra ID does not save a SharePoint Add-in implementation that depends on the retired add-in model. Microsoft says app-web data must be extracted before uninstall because uninstall deletes the app web, and remote event receivers registered with ACS stop working after April 2, 2026; only Entra-registered remote event receivers have a longer path until July 1, 2027.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "SharePoint Add-in Authentication and Retirement Options — when and how should I migrate?"