Sure, you can handle it. But should you?
Let our experts manage the tech maintenance while you focus on your business.
Let our experts manage the tech maintenance while you focus on your business.
Whitepaper
Migration of Tenant-Wide Permissions in the Azure application for the Microsoft SharePoint Online Connector
Introduction
As of April 2026, Microsoft will discontinue its authentication service Azure ACS (Access Control Services) and will transition to using Microsoft Entra ID, which affects all Microsoft SharePoint Online Connectors that are currently used by Mindbreeze customers. For more information about the retirement of Azure ACS, please see https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs.
To proactively respond to this change and ensure the continued functionality of the Microsoft SharePoint Online connector, Principal Resolution Service and the Authorization service, the authentication method is being updated to certificate-based authentication. In the following chapters, the necessary steps are described to prepare the existing Azure application and to migrate the existing tenant-wide permissions for certificate-based authentication.
Requirements
Please check the following requirements:
- The Microsoft administrator has the appropriate permissions for the Azure application. One of the following two options must be met:
- Option 1: The Microsoft administrator has the role “Global Administrator”.
- Option 2: The Microsoft administrator has the roles “SharePoint Administrator” and “Application Administrator”.
- An Application Registration is created or already existent for the SharePoint Online Connector in Azure Portal/Microsoft Entra ID admin center.
- For more information about the registration of an application, see the Microsoft documentation: How to register an application.
Creation of the certificate
In order to migrate to certificate-based authentication, a certificate is needed that will be uploaded to the Azure application to connect with Mindbreeze InSpire. This certificate can be created and can either be a CA-signed certificate using a trusted certificate authority or a self-signed certificate (.cer, crt or .pem).
For more information about the creation of a self-signed certificate, see the Microsoft documentation: .
After the creation of the certificate, please make sure to save the certificate including the private key and to provide it to the Mindbreeze InSpire administrator.
Adding the certificate and updating the Azure application
Step 1: Adding the certificate to the Azure Application
To upload and add the certificate to an existing Azure application, sign in to the Azure Portal/Microsoft Entra ID admin center.
Then, go to “Microsoft Entra ID”, and in the “Overview”, go to “App registrations”. Choose the existing Azure application that you want to connect with Mindbreeze InSpire.
In the Azure application, go to the side navigation and open the menu item “Manage”. To upload the certificate, go to the sub menu item “Certificates & secrets”. Click on “Upload certificate” and select the public certificate file (.cer, crt or .pem). Then, click on “Add”.
For more information, please see the Microsoft documentation How to add credentials to an application.
Step 2: Migration of Tenant-Wide API Permissions
Due to the retirement of Azure ACS for SharePoint Online, tenant-scoped “FullControl” permissions can no longer be granted by using AppInv.aspx (before the retirement of Azure ACS, it was possible to upload a tenant-level scope with “FullControl” rights through the SharePoint AppInv.aspx page). Now, this capability must be configured through application permissions in Microsoft Entra ID. In the future, access to SharePoint will be managed via Azure application permissions.
To migrate the tenant-wide API permissions in Azure, go to the existing Azure application that you want to connect with Mindbreeze InSpire in the Azure Portal/Microsoft Entra ID admin center. Open the menu item “Manage” and click on “API permissions”.
Then “Add a permission” and make sure to choose “SharePoint”.
Choose “Application permissions” as permission type. Then expand the permission option “Sites” and choose the permission “Sites.FullControl.All”. Finally, click on “Add permissions”.
For more details see the Microsoft documentation: How to update application permissions
Now, with the API permissions migrated, the Azure application is again fully configured and ready to be used with the SharePoint Online Connector and certificate-based authorization.