Share via

Need guidance guidance regarding the future of our Provider-Hosted Add-ins (PHA) in SharePoint Online, in light of the announced retirement of SharePoint Add-ins and ACS authentication after April 2, 2026

Ramanjjilu Naidu 0 Reputation points
2025-08-11T16:01:20.86+00:00

Current Setup:

  • We use multiple PHA apps across different SharePoint Online sites.
  • These apps vary in complexity: some are simple, some medium, and some highly complex.
  • All are built using C#, leveraging CSOM and SharePoint REST APIs.
  • Authentication is currently handled via ACS (Azure Access Control Services).

Questions:

  1. Post-ACS Viability:
    • If we migrate our PHA apps to use Azure AD authentication, will they continue to work after ACS is retired?
      • Are there any limitations or unsupported scenarios when using Azure AD with PHA apps?
      1. Redirection Workarounds:
        • Can we continue to use Script Editor Web Parts or SPFx-based redirection to launch our existing PHA apps?
          • Is this considered a supported and secure approach by Microsoft?
          1. SPFx Migration Feasibility:
            • A full redesign of our business processes into SPFx is a significant effort and may not be achievable before April 2026.
              • Does Microsoft recommend a phased migration strategy or offer tooling/support to accelerate this transition?
  2. Recommended Approach:
  • What is Microsoft’s official recommendation for organizations with large investments in PHA apps?
    • Are there any migration guides, sample architectures, or support programs available to help us plan and execute this transition? Current Setup:
      • We use multiple PHA apps across different SharePoint Online sites.
      • These apps vary in complexity: some are simple, some medium, and some highly complex.
      • All are built using C#, leveraging CSOM and SharePoint REST APIs.
      • Authentication is currently handled via ACS (Azure Access Control Services).
      Questions:
      1. Post-ACS Viability:
        • If we migrate our PHA apps to use Azure AD authentication, will they continue to work after ACS is retired?
        • Are there any limitations or unsupported scenarios when using Azure AD with PHA apps?
      2. Redirection Workarounds:
        • Can we continue to use Script Editor Web Parts or SPFx-based redirection to launch our existing PHA apps?
        • Is this considered a supported and secure approach by Microsoft?
      3. SPFx Migration Feasibility:
        • A full redesign of our business processes into SPFx is a significant effort and may not be achievable before April 2026.
        • Does Microsoft recommend a phased migration strategy or offer tooling/support to accelerate this transition?
      4. Recommended Approach:
        • What is Microsoft’s official recommendation for organizations with large investments in PHA apps?
        • Are there any migration guides, sample architectures, or support programs available to help us plan and execute this transition?
Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alexis-NG 1,490 Reputation points Microsoft External Staff Moderator
    2025-08-11T17:37:57.9366667+00:00

    Hi @Ramanjjilu Naidu,

    Thanks for reaching out to Q&A Forum.
    For your concern, switching authentication from ACS to Microsoft Entra ID (Azure AD) is necessary but not enough. The SharePoint Add-in model, which Provider-Hosted Add-ins (PHAs) rely on, will be fully retired on April 2, 2026. Even with Entra ID authentication, PHAs won’t work via the Add-in framework after that date. Key components like app parts, app webs, launcher tiles, and add-in permissions will no longer function. 

    The future platform is:  SPFx + Entra ID + Microsoft Graph / SharePoint REST API   

    Regarding your question about post-ACS viability of PHAs 

    • Authentication: You can refactor your C# code to use Entra ID tokens and continue calling SharePoint Online via CSOM/REST or Graph. This is supported. 
    • Add-in Model: Retires April 2, 2026. Even with Entra ID, PHAs won’t load via the Add-in framework. You’ll need to surface your apps via SPFx, Teams, or as standalone web apps. 
    • Remote Event Receivers (RERs): 
    • ACS-registered RERs stop working on April 2, 2026. 
    • Entra ID-registered RERs are supported until July 1, 2027. 
    • Permissions: Add-in permissions (AppRegNew/AppInv) retire. Use Entra ID app registrations with Graph/SharePoint app-only permissions (e.g., Sites.Read.All, Sites.Selected). 

    With your suggested redirection workaround, there is some pros and cons come with it: 

    • Script Editor Web Parts: Not viable long-term. Custom scripting is disabled in modern SharePoint and doesn’t restore Add-in functionality. 
    • SPFx Redirection: Supported. You can build SPFx web parts or Application Customizers to redirect users to standalone Entra ID-protected apps. 
    • Ensure the destination is a normal web app, not an Add-in web. 
    • Use secure auth flows like Authorization Code + PKCE or On-behalf-of. 
    • Prefer least privilege scopes like Sites.Selected. 

    For SPFx migration strategy, phased Migration is recommended: 

    • Inventory: Use the Microsoft 365 Assessment Tool to identify all Add-ins and generate a Power BI report. 
    • Authentication First: Migrate all ACS-based code to Entra ID to keep backend services running. 
    • Surface Replacement: 
    • SPFx web parts or full-page apps calling your backend. 
    • SPFx + external web app (via redirect or iFrame, if allowed). 
    • Background jobs → Azure Functions/WebJobs. 
    • Eventing → Replace RERs with webhooks, Power Automate, or re-register with Entra ID. 
    • Freeze Add-ins: Disable new Add-in installs using PowerShell to stabilize your environment. 

    There are some recommended architectures based on official Microsoft documents and community guidance: 

    SPFx (React) web part → Azure App Service backend → Graph/REST with Entra ID. 

    Full-page SPFx apps with SSO via On-behalf-of flow. 

    Teams + SharePoint dual-home: Package SPFx components as Teams tabs. 

    Governance: Use Sites.Selected over tenant-wide scopes; automate consent and site assignments. 

    You can find more details in the following Microsoft Learn articles; these resources provide clear guidance and the latest updates on the topic: 

    SharePoint Add-Ins and Azure ACS retirement FAQ | Microsoft Learn  

    Azure ACS retirement in Microsoft 365 | Microsoft Learn  

    SharePoint Add-In retirement in Microsoft 365 | Microsoft Learn  

    Here are some additional documents and tools you might find useful. Please note that these tools aren’t officially provided or supported by Microsoft, so it’s a good idea to review them carefully and assess their reliability before using them in your environment.

    Modernizing Authentication in SharePoint Online | SharePointed  

    SharePoint Add-In Retirement: What You Need to Know  

    Migrate SharePoint Add-ins to SharePoint Framework - FAQ  

    GitHub - pnp/pnpassessment: Microsoft 365 SharePoint Assessment tool enabling various deprecation and adoption scenarios   

    GitHub - pnp/sp-dev-fx-webparts: SharePoint Framework web part, Teams tab, personal app, app page samples  

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    Afbeelding van gebruiker

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.