Time to migrate off Access Control Service

Postado em 20 novembro, 2017

Program Manager

Access Control Service, otherwise known as ACS, is officially being retired. ACS will remain available for existing customers until November 7, 2018. After this date, ACS will be shut down, causing all requests to the service to fail.

Who is affected by this change?

This announcement affects any customer who has created one or more ACS namespaces in their Azure subscriptions. It may also affect customers of any service that uses ACS as a means of authentication. Examples of such services include Azure Service Bus, Azure Relay, Azure Media Services, and Azure Backup. In accordance with this announcement, Azure Service Bus and Azure Relay will be officially deprecating support for ACS on November 7, 2018.

If your apps and services do not use Access Control Service, then you have no action to take.

To determine if you have any ACS namespaces, you must sign-in to the Azure classic portal (read on for instructions). Your ACS namespaces will be listed under the Active Directory service in the Access Control Namespaces tab. Be sure that you check all Azure subscriptions for existing ACS namespaces.

To determine if your apps and services use ACS, you should monitor for any traffic to https://{your-namespace}.accesscontrol.windows.net. All traffic to ACS is sent to the accesscontrol.windows.net domain. 

Note: Any traffic to the https://accounts.accesscontrol.windows.net domain is already handled by a different service. Traffic to this specific domain will not be affected by ACS retirement.

What is the retirement schedule?

Earlier this year, we restricted creation of new ACS namespaces. As of today, all other ACS functionality is fully operational.

During November 2017, management of ACS namespaces will continue to be available in the Azure classic portal. But after November 2017, this URL will begin redirecting to the new Azure Portal. ACS namespace management will not be available in the new portal. Instead, you will be able to access ACS namespace management via a dedicated URL: https://manage.windowsazure.com/?restoreClassic=true. Please use this URL to manage ACS namespaces after November 30.

In April 2018, the Azure classic portal will be retired completely, and the dedicated URL will be deactivated. At this point in time, you will no longer be able to list, create, delete, disable, or enable ACS namespaces via any portal. However, you will still be able to manage your namespace configuration via the ACS management portal, located at https://{your-namespace}.accesscontrol.windows.net. This includes managing service identities, relying parties, identity providers, claims rules, and more. We strongly recommend taking inventory of all ACS namespaces prior to April 2018, making note of the URL for each instance of the ACS management portal.

Until November 7, 2018, all other ACS functionality will continue to work. This includes the ACS secure token service, the ACS management service, and the ACS token transformation engine. After this date, all ACS services and functionality will be shut down. By this time, you should ensure that all traffic has been migrated off Access Control Service to other technology.

What action is required?

If you determine that you use ACS in some capacity, you should begin planning and executing on a migration strategy immediately. In the vast majority of cases, migration will require significant code changes on your part.

What is the migration path?

The correct migration path for you depends heavily on how your existing apps and services use ACS. To assist in determining the right technology to use, we have published this ACS migration guidance. Generally speaking, there are three options for you to consider:

  • If you use ACS as a means of authenticating to another Microsoft service, you’ll need to follow the migration instructions provided by that service. For instance, Azure Service Bus and Azure Relay customers can find guidance on migrating to Shared Access Signature (SAS) in the Service Bus SAS and Relay SAS migration articles, respectively. Our migration guidance contains instructions for other services.
  • If your apps and services only need support for Microsoft work and school accounts, you can migrate to Azure Active Directory. Azure AD supports many of the features of ACS, but not all. If you determine you require an Azure Active Directory premium license to perform your migration, reach out to us to receive a free developer license.
  • If your apps and services need to support Google, Facebook, Yahoo, Microsoft personal accounts, or other IDPs, consider migrating to Azure AD B2C. Azure AD B2C supports a wide range of identity providers and customizations, but does not support all of the ACS authentication protocols.

Contact Us

For more information about the retirement of ACS, please check our ACS migration guidance page first. If none of the migration options will work for you, or if you still have questions or feedback about ACS retirement, please contact us at acsfeedback@microsoft.com