One of Azure’s oldest Identity-related services, Azure’s Access Control Service (ACS) will cease to exist soon. There are replacements. If your organization is still using ACS, you will need to migrate this functionality to Azure AD, Azure AD B2C, AD FS and/or 3rd party solutions.
About the Access Control Service
The Microsoft Azure Access Control Service (or ACS) is a cloud-based service that provides a way of authenticating and authorizing users to gain access to web applications and services.
Using ACS, admins can easily orchestrate the authentication and much of the authorization of users using identity providers like Facebook, Google, Yahoo and Microsoft Accounts using standards like SAML, OAuth and Open ID Connect.
From ACS to Azure AD
If that sounds awfully familiar, then you’re probably thinking of Azure AD B2C as a Microsoft technology that offers the same functionality. However, that’s just one part of the story, because B2C aims for non-organizational users, where all the functionality of the Azure Access Control Service (ACS) for users within your (affiliate) organizations is rolled into Azure AD itself, as described here by Alex Simons, back in February 2015.
Since then, Microsoft has made big strides to achieve feature-parity between Azure AD, Azure AD B2C and Azure ACS. One of the last features on that road(map) was the ability to define custom policies in Azure AD B2C to integrate with any SAML, Open ID Connect or OAuth-based provider, next to its built-in policies.
In many areas, the functionality of Azure AD surpasses ACS, like with role-based access control (RBAC) as illustrated by this TechNet Wiki article on Azure Recovery Services.
As ACS provides access, as a prerequisite, applications need the logic to work with it. ACS offers .Net Framework, PHP, Python, Java and Ruby support. Many (Microsoft) services and applications have adopted its functionality in their code. Microsoft has standardized all of their support into the Azure Active Directory Authentication Libraries (ADAL), offering downloadable libraries, source code, samples and references to developers looking to adopt Azure Active Directory.
Goodbye ACS
Now, its time to say ‘Goodbye’ to Azure’s Access Control Service (ACS). On November 7, 2018, ACS will be retired and shut down, causing all requests to the service to fail.
This retirement affects any organization that has created one or more ACS namespaces in their Azure subscriptions.
Are you affected?
There’s an easy way to find out. However, since ACS was not migrated to the ‘new’ Azure Portal, you will need to use the Azure ACS PowerShell Module.
First, install the PowerShell Module from the PowerShell Gallery using the following one-liner:
Install-Module -Name Acs.Namespaces
With the PowerShell Module installed, connect to the Access Control Service management endpoint, using the following one-liner:
Connect-AcsAccount
Now, use the following one-liner to list any ACS Namespaces:
Get-AcsNamespace
If your Azure subscription features ACS Namespaces, follow the ACS migration guidance to migrate the functionality to Azure AD, Azure AD B2C, Active Directory Federation Services (AD FS) or even 3rd party functionality from Auth0 and Ping Identity.
If your apps and services do not use ACS, then you have no action to take.
Concluding
Three months might prove to be just the right amount of time for organizations to migrate off Azure’s Access Control Service (ACS).
Further reading
ACS Overview
The future of Azure ACS is Azure Active Directory
Upcoming changes to the Microsoft Access Control Service
4 month retirement notice: Access Control Service
Login