Share via

Future-Safe Approach for Accessing SharePoint REST API via Azure AD App Without AppRegNew.aspx / AppInv.aspx

Sundaravadivel 0 Reputation points
2025-07-01T01:59:12.6133333+00:00

We are evaluating how to securely and sustainably access the SharePoint REST API using an Azure AD application. While we are aware that Microsoft Graph is the preferred modern API surface, certain essential capabilities are still only available via the SharePoint REST API, which necessitates continued use of that endpoint for specific business requirements.

Currently, many implementations rely on the legacy AppRegNew.aspx and AppInv.aspx endpoints to grant app-only permissions via the SharePoint Add-In model. However, we are concerned about the long-term viability of this approach, especially given the broader shift away from SharePoint Add-Ins and related tooling.

We would like to clarify:

What is Microsoft’s recommended best practice for accessing the SharePoint REST API using an Azure AD application without relying on AppRegNew.aspx and AppInv.aspx?

Is there a modern, certificate-based app-only model — similar to Microsoft Graph — that allows an Azure AD app to call the SharePoint REST API natively?

Are there any deprecation plans, timelines, or roadmap updates related to AppRegNew.aspx and AppInv.aspx that we should consider in our planning?

Our goal is to implement a secure, scalable, and future-proof integration with SharePoint Online that aligns with Microsoft’s recommended architecture.

We would greatly appreciate your guidance on this matter.

Best regards,

Sundaravadivel

Microsoft 365 and Office | SharePoint | Development
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jack-Bu 2,300 Reputation points Microsoft External Staff Moderator
    2025-07-01T09:17:06.29+00:00

    Hi Sundaravadivel

    Welcome to Microsoft Q&A Forum!

    Thank you again for your detailed inquiry and for raising such an important topic. I truly understand your team’s need to implement a secure, scalable, and future-proof integration with SharePoint Online especially when certain capabilities are only available via the SharePoint REST API. 

     

    Based on my research, Microsoft appears to support a modern, certificate-based app-only model for accessing the SharePoint REST API using an Azure AD (Microsoft Entra ID) application. This approach is designed to: Enables app-only access without user context, uses certificate-based authentication via the OAuth 2.0 client credentials flow, does not require AppRegNew.aspx or AppInv.aspx, avoiding the legacy SharePoint Add-In model. 

    This model is designed to be secure, future-proof, and consistent with how Microsoft Graph is accessed today. 

    Because I’m supporting in a moderator capacity so i cannot provide implementation-level guidance or testing steps directly, but I’d be happy to share an official Microsoft article that outlines this model in detail: Setting up an Azure AD App for App-Only Access to SharePoint REST API 

    While this model is supported, it’s important to note that: 

    • The official documentation primarily focuses on using Azure AD app-only access with PnP PowerShell or the PnP Sites Core library
    • Direct access to the SharePoint REST API ("plain" REST calls) using this model is not fully covered in Microsoft’s documentation

    To achieve this, you can use the Microsoft Authentication Library (MSAL) to acquire an access token, then include it in the request headers when calling the SharePoint REST API. 

     

    You can read more discussion articles in the Microsoft community to understand deeply how to use SharePoint REST API with Azure: How to use sharepoint rest api with azure ad app creds? - Microsoft Q&A 

    While these tools are still functional today, Microsoft has officially classified the SharePoint Add-In model which includes AppRegNew.aspx and AppInv.aspx as legacy. This means that although they are not yet fully deprecated, they are no longer recommended for new solutions. 

    More importantly, Microsoft has announced a retirement timeline for the SharePoint Add-In model: 

    • From November 1, 2024, SharePoint Add-Ins will no longer work in new Microsoft 365 tenants. 
    • From April 2, 2026, SharePoint Add-Ins will be fully retired across all tenants. 

    This includes the use of AppRegNew.aspx and AppInv.aspx for app-only access. 

    You can find the official announcement and timeline here: 

     Given this direction, Microsoft strongly recommends transitioning to modern authentication models using Azure AD (Microsoft Entra ID), which support app-only access via certificate-based authentication without relying on legacy endpoints. 

    I completely understand that this shift may require re-evaluation of existing architectures, and I appreciate your forward-thinking approach in planning for long-term sustainability. 

    Once again, I sincerely apologize that, in my role as a moderator, I’m unable to fully test or validate the SharePoint REST API integration end-to-end. If you encounter any issues during implementation, or if anything I’ve shared is unclear or misunderstood in any way, please don’t hesitate to let me know. I’ll do my best to clarify or escalate your concerns to the appropriate team. 

    Thank you again for your understanding and collaboration. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.