SAP Knowledge Base Article - Public

3731970 - Microsoft ACS authentication retirement may impact SharePoint connections in SAP Analytics Cloud via Open Connectors

Symptom

  • SharePoint import connections via Open Connectors in SAP Analytics Cloud (SAC) may be impacted by Microsoft ACS authentication retirement.
  • Issues may occur when creating, updating, or using a SharePoint connection in SAC.
  • Possible symptoms include:
    • “An error occurred while retrieving the authentication code from SharePoint.”
    • “Unable to connect to SharePoint. Check the connection details and user credentials, and then try again.”
    • “Non-Graph authentication is no longer supported. Use Graph-based authentication.”
    • Authentication failure after the Microsoft trust/consent step
    • “Your tenant administrator has to approve this app.”
  • In some cases, the SharePoint setup may work in Open Connectors, but the connection in SAC may still fail.
  • At this time, some existing connections may continue to work because the current refresh token is still valid.
  • SharePoint team site URLs of the form /sites/<TeamName>/ may currently require a temporary workaround. 
  • In some cases, temporary intermittent failures may also occur due to SharePoint rate limiting.

Environment

  • SAP Analytics Cloud
  • SharePoint import connection
  • SAP Integration Suite Open Connectors / Cloud Elements

Reproducing the Issue

  1. Log in to SAP Analytics Cloud.

  2. Navigate to Connections.

  3. Create or update a SharePoint import connection via Open Connectors.

  4. Trigger the Microsoft/SharePoint authentication flow.

  5. Observe that the connection may fail during or after authentication.

Cause

Microsoft is retiring Azure Access Control Service (ACS) authentication for SharePoint. As a result, SharePoint authentication scenarios based on legacy ACS may be impacted and may require migration to Microsoft Entra ID / Graph-based authentication.

For SAP Analytics Cloud customers using SharePoint via Open Connectors, additional work is still required to fully support all create and edit workflows for existing SharePoint connections configured directly in SAC.

In addition, SharePoint team site URLs may currently require a workaround because Microsoft Entra ID / Graph authentication may use the SharePoint base URL to obtain an access token instead of handling site-specific resource details directly.

SAP is continuing to work with UiPath to improve team site authentication without workaround and to add retry logic for SharePoint rate limiting scenarios.

Resolution

SAP is currently working on the remaining development items required to support the update of existing SharePoint connections configured directly in SAP Analytics Cloud after Microsoft ACS authentication retirement.

At this time, the SAC-specific update path for existing SharePoint connections is still being worked on.

In the meantime, consider the following guidance:

  1. Do not modify a working connection or OAuth application immediately.
    First test with a new connection or a new OAuth application to confirm that the new setup works as expected.
    • Once confirmed, you can then modify existing SAC connections.
  2. Check whether the current authentication flow is using legacy ACS or Entra ID / Graph authentication.
    • If the authentication URL goes to:
      <SharePointSiteURL>/_layouts/15/OAuthAuthorize.aspx, the flow is using SharePoint ACS
    • Even if the OAuth application was created in Microsoft Entra ID, the connection may still use SharePoint ACS authentication.
    • If the authentication URL goes to:
      login.microsoftonline.com/common/oauth2/v2.0/authorize, the flow is using Entra ID / Graph authentication.
    • If modifying an existing connection in SAC does not redirect to the Entra ID / Graph authentication URL, test creating a new connection in SAC to confirm whether the new setup is working correctly.
  3. If the message “Your tenant administrator has to approve this app.” appears, approval from the primary SharePoint administrator may be required.
  4. When registering an OAuth application in Microsoft Entra ID, specify the supported account type as required by your scenario, Single-tenant or multitenant. 
  5. Existing connections may continue to work temporarily if the current refresh token is still valid.
  6. For SharePoint team site URLs of the form /sites/<TeamName>/, use the following temporary workaround:
    1.  In SAP Analytics Cloud, create or edit the connection using the SharePoint base URL (for example, mysharepoint.sharepoint.com).
    2. Sign in to SAP Open Connectors and locate the associated instance then edit it.
    3. Update the SharePoint URL to the actual Team site address (for example, mysharepoint.sharepoint.com/sites/mysite).
    4. Re-enter the secret.
    5. Click Update — do not choose Reauthenticate.
    6. Return to SAC and create the Model.
  7. If temporary intermittent failures are observed, retry after a short time. SAP is continuing to work with UiPath on improved retry handling for SharePoint rate limiting scenarios. 

For background information, refer to KBA 3469382 - Configuration details for Consuming Sharepoint Data in SAP Analytics Cloud (SAC)

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Analytics Cloud, SAC, SharePoint, SharePoint import connection, Open Connectors, SAP Integration Suite Open Connectors, Cloud Elements, authentication, Microsoft ACS, Azure Access Control Service, ACS authentication retirement, SharePoint ACS, Microsoft Graph, Graph-based authentication, Microsoft Entra ID, Entra ID, Azure Entra ID, OAuth, redirect URI, refresh token, multitenant, single-tenant, OAuthAuthorize.aspx, An error occurred while retrieving the authentication code from SharePoint, Non-Graph authentication is no longer supported, Your tenant administrator has to approve this app , KBA , LOD-ANA-AQU-CLD , Data acquisition from Cloud-based (non-OData) sources , Problem

Product

SAP Analytics Cloud 1.0