Hi,

Ultimate Forms enables you to configure and execute a variety of improvements and extensions to your SharePoint, allowing you to build sophisticated business solutions directly in your browser. To accomplish that in SharePoint Online, we require access permissions to your SharePoint sites, to be able to work with data, configure your lists or register alerts. As Ultimate Forms allows you to automate almost anything inside SharePoint, we require an equally high level of permissions.

When you click your Design button on SharePoint list view, we have to receive an access token from SharePoint to be able to accomplish all these tasks. In the past, we were using ACS (access control system) to retrieve the token directly from SharePoint. As ACS will be discontinued by Microsoft on April 2nd, 2026, at the beginning of this year we released version 1.4.0.0 that uses a different mechanism. It retrieves the token from SPFx infrastructure of client-side extensions.

Although this system does not use ACS and as such won't be deprecated, there is one issue that raised customer complaints. The access token is relatively short-lived, sometimes no more than 40 min, and the app has to ability to renew it. Which meant that it could potentially expire while you were working. As a countermeasure we implemented automatic saving of form settings when we detect an imminent expiration, but we understand that it still interrupts the flow of work and is undesirable.

This is why we decided to implement a direct OAuth authorization flow when opening the app. It allows us to receive both access and refresh tokens and handle the renewal of access tokens automatically behind the scenes, ensuring that the token practically never expires. Moreover we are increasing security by safely storing the token in browser memory only and never on disk.

This change comes as part of our regular behind-the-scenes upgrade cycle and requires no version upgrade, assuming you are already on 1.4.0.0 (which you should plan to upgrade to as soon as possible to ensure no service disruptions when ACS goes offline). Most customers will not notice any change, as all the necessary permissions should already be present in your system.

However some customers might require some additional configurations. There is a new documentation article that describes all the possible scenarios in full details, but I would like to quickly go over it here as well.

Basically, the permissions for the app are granted through Infowise Ultimate Forms Data Access enterprise application that can be found in your Entra ID (formerly Azure Active Directory). You can find it under Applications -> Enterprise applications. If you look under Permissions, you will find a set of different permissions this application requires. The one we are using for accessing SharePoint from Ultimate Forms on your behalf is this (highlighted):

Note that this is a delegated permission granting up to Full Control. Delegated means that it is actually granted in combination with the specific user's own permissions and only up to the level of that user's permissions. For example, if the user only has Write permissions, the resulting permissions will also be limited to Write. This ensures that each user can only perform operations up to their own permissions level and permissions are never elevated, ensuring your system's security.

If you already see this permission under the enterprise application and admin consent is granted, no further configuration is needed. User will be able to open Ultimate Forms exactly as they did up until now and nobody is going to notice any change in behaviour.

If however the permission is not there or is not granted, there are several possible scenarios:

1. A Global Administrator can give consent if the permission is already there or, if it's not, simply running Installation Wizard will ensure it's there and granted consent.
2. Users will require consent when trying to open Ultimate Forms for the first time:
   1. If all users are allowed to grant consent for their own delegated permissions, they can simply agree and proceed, they won't be asked again. This will happen when you configure User consent settings in Entra ID to Allow user consent to apps. You can find it under Applications -> Enterprise applications ->Consent and permissions -> User consent settings.
   2. If users are not allowed to grant consent (the other two options under User consent settings), they will require an administrator approval. I would recommend to enable the ability to ask for approval directly in the consent flow, you can enable it under Applications -> Enterprise applications ->Consent and permissions -> Admin consent settings. This way one of your administrators will be notified by email, will review and approve the request and the user will be notified via email and granted access. This scenario is recommended for organizations wishing to have tighter control over who is able to access Ultimate Forms.

This change goes into effect starting today. You might still continue to experience the old flow for a few days, depending on the cache settings of your browser. The change at this point applies to Design button only. The other buttons Ultimate Forms adds to the toolbar (such as Add alert, Print or Run actions) are not affected, as you normally won't need to stay on the page more than a couple of minutes and the token expiration is not a significant factor here.

And again, if you are still on any version below 1.4.0.0, start making plans to upgrade. There are several tasks that we will have to perform behind the scenes to ensure your functionality is not interrupted when ACS goes offline and it's important that we are able to perform them well ahead of time.