Is SharePoint ACS really going away? What it means for your integrations

Managing access and security policies in SharePoint Online is critical for maintaining a secure and efficient collaboration environment. One key aspect that often raises questions is the Access Control Service (ACS) policy expiry. This post explains what ACS policy expiry means in SharePoint Online, why it matters, and how you can manage it effectively using the Microsoft Entra app.

What is ACS Policy Expiry in SharePoint Online?

ACS, or Access Control Service, is a component that helps manage authentication and authorization for SharePoint Online and other Microsoft 365 services. It issues tokens that grant users and applications access to resources for a limited time. The ACS policy expiry refers to the expiration of these tokens or policies that define access permissions.

When an ACS policy expires, the tokens it issued become invalid, and users or apps may lose access until new tokens are issued or policies are renewed. This mechanism helps improve security by limiting the window during which a compromised token can be used.

Why ACS Policy Expiry Matters

• Security: Expiring tokens reduce the risk of unauthorized access if credentials are leaked.

• Compliance: Many organizations require regular review and renewal of access permissions.

• Access Management: Helps administrators control how long users or apps can access SharePoint resources.

  
  

Without proper management, expired policies can cause unexpected access issues, disrupting workflows and collaboration.

How ACS Policy Expiry Works in Practice

ACS policies are typically set with a validity period. For example, an application registered in Azure AD might have a token lifetime of one hour or one day. After this period, the token expires, and the application must request a new token to continue accessing SharePoint Online.

In SharePoint Online, this process is mostly transparent to end users but requires administrators to monitor and manage app registrations and permissions to avoid service interruptions.

Using Microsoft Entra App to Manage ACS Policy Expiry

Microsoft Entra is a suite of identity and access management tools that includes Azure AD and other services. It provides a centralized way to manage applications, users, and policies, including those related to ACS.

Steps to Manage ACS Policy Expiry with Entra App

1. Access the Entra Portal

   Sign in to the Microsoft Entra admin center with appropriate admin credentials.

   
   

2. Review App Registrations

   Navigate to Azure Active Directory > App registrations to see all applications that have access to SharePoint Online.

   
   

3. Check Token Lifetimes and Policies

   Under each app registration, review the Authentication and Token configuration settings. Here you can see token expiry times and refresh token settings.

   
   

4. Set or Adjust Token Expiry Policies

   Use Conditional Access policies or token lifetime policies to define how long tokens remain valid. For example, you can set shorter lifetimes for sensitive apps or longer ones for trusted internal tools.

   
   

5. Monitor Policy Expiry and Renew Access

   Entra provides logs and alerts to notify admins when tokens or policies are nearing expiry. Use these tools to proactively renew or revoke access as needed.

   
   

6. Automate Token Renewal

   For applications, configure refresh tokens to automatically renew access without user intervention, ensuring seamless operation.

   
   

Example: Renewing an Expired ACS Policy for a SharePoint App

Suppose you have a custom app that integrates with SharePoint Online but suddenly loses access due to token expiry. Using Entra, you can:

• Locate the app registration.

• Check the current token expiry settings.

• Adjust the token lifetime if necessary.

• Generate new client secrets or certificates if the app uses them.

• Inform the app owner to update the credentials or reauthenticate.

  
  

This process helps restore access quickly and securely.

!Close-up view of Microsoft Entra admin center showing app registration details

Best Practices for Managing ACS Policy Expiry

• Regularly audit app registrations to ensure only necessary apps have access.

• Set appropriate token lifetimes based on the sensitivity of data and app usage.

• Use Conditional Access policies to enforce multi-factor authentication and device compliance.

• Monitor logs and alerts in Entra to detect unusual access patterns or expired tokens.

• Educate app developers and users about token expiry and renewal processes.

  
  

Summary

Understanding ACS policy expiry in SharePoint Online is essential for maintaining secure and uninterrupted access to your resources. The Microsoft Entra app offers a powerful way to manage these policies, review token lifetimes, and renew access when needed. By actively monitoring and adjusting ACS policies through Entra, administrators can reduce security risks and ensure smooth collaboration.