The Windows Azure Access Control Service (ACS) Migration Tool is not a standalone downloadable piece of software. It instead refers to a structured collection of diagnostic utilities, scripts, and target platform configurations provided by Microsoft to migrate legacy apps off the retired Azure ACS framework.
Because Azure ACS reached full retirement on April 2, 2026, all legacy authentication flows have stopped working. Organizations must manually transition their application-only contexts, custom workloads, and SharePoint Add-ins to Microsoft Entra ID (formerly Azure Active Directory).
This step-by-step guide explains how to scan your environment for ACS endpoints and execute the migration path. Step 1: Scan for ACS Dependencies
Before modifying application code, administrators must inventory all environments to discover active ACS principals using the Microsoft 365 Assessment Tool.
Download the Engine: Grab the latest assessment engine release via the PnP Assessment Repository.
Initialize the Scan: Open your command line interface and target your primary infrastructure tenant:
start –mode AddInsACS –authmode interactive –tenant ://sharepoint.com Use code with caution. Monitor Progress: Type status to track the background job.
Extract Report: Use list to view all identified provider-hosted add-ins, validation scopes, and secret lifetimes. Step 2: Configure the Target Application in Entra ID
Once you identify an ACS-dependent app, you must map its identity to Microsoft Entra ID.
Time to migrate off Access Control Service | Microsoft Azure Blog
Leave a Reply