IMPORTANT! Azure Media Services announces support for AAD and deprecation of ACS authentication RRS feed

  • General discussion

  • IMPORTANT! 12-month deprecation notice of ACS authentication support in Azure Media Services

    Because Azure Active Directory provides powerful role-based access control features and support for more fine-grained access to resources in your account compared to the ACS token authentication model ("account keys"), we strongly recommend that you update your code and migrate from ACS to AAD-based authentication by June 22, 2018. Also, a key reason for the rapid migration is the upcoming announced deprecation of the ACS key based authentication system.

    What does this mean for you?

    • Microsoft Azure Media Services will end support for Microsoft Azure Access Control Service (ACS)-based authentication on June 22, 2018.
    • To provide customers sufficient time to update their application code, we are providing 12 months' notice to manage the necessary transition.

    What actions should you take?

    We recommend that you take the following actions prior to June 22, 2018 to ensure that your applications continue to work as expected:

    • Update the code for your applications authored for Media Services.
    • Migrate from ACS-based authentication.
    • Begin using AAD-based authentication.

    Mitigation steps must be taken on or before June 22, 2018 to ensure your applications authored for Media Services using ACS authentication tokens will continue to function as expected without failures in production. Please review each of the new authentication scenarios below closely and take the appropriate action to update to using AAD authentication in your source code.

    The Azure Media Services REST API supports authentication for both interactive users and web API, middle-tier, or daemon applications. The following sections provide details on how to use AAD authentication when working directly with the REST API or through the .NET client library.

    See the full blog post here:

    Thursday, June 22, 2017 7:36 PM

All replies

  • Hi John,

    does this mean that in order to view a video streamed by Azure Media Services, you need a Microsoft account?

    Best regards,

    Roel Van Poppel

    Monday, June 26, 2017 11:07 AM
  • Roel, 

    No, not at all - if you read my blog you should focus on the section about AAD Service Principals.  For any real production access to a Media Services account, you would want to use a Service Principal. 

    If you are just writing a simple desktop tool or playing around in Visual Studio, you can use your User account  for interactive login (say for example you are building a tool like the Azure Media Services Explorer), but that is definitely not the recommendation for any backend API or service that calls your Media Services Account.  Your user interactive account would be the  same one that you use for accessing your subscription through the Azure Portal. By default you are given an AAD instance with that user account in it (unless you are going through your corporate subscription and AD tenant). 

    We added a new "API Access" blade in the Azure Portal under your media services account to make it easier to create a new Service Principal and attach it to your Media Services account. 

    Monday, June 26, 2017 5:58 PM
  • Hi John,

    thanks for your reply.

    I followed your instructions on setting up the Azure Active Directory and adjusted the code according to your new guidelines. Everything is up and running again with a server principal on the Azure Active Directory.

    Best regards,

    Roel Van Poppel

    Tuesday, June 27, 2017 11:42 AM
  • Hi John,

    How can I migrate my uploaded videos from ACS to AAD?

    Best regards,


    Wednesday, October 11, 2017 3:38 PM
  • Andre,

    There is no migration required.  This only affects the way in which you authenticate your calls to our API or through our SDKs.  Please follow the instructions in the blog post closely and update any code that is calling our REST API or using our client SDKs to use AAD authentication instead of ACS keys.

    See the full blog post here:

    Wednesday, October 11, 2017 4:43 PM
  • Thank you, John.


    Wednesday, October 11, 2017 7:16 PM