Microsoft is at it again… building off all the retirement notices in 2023 coming to a head in April 2026, Microsoft is as it again killing off a SharePoint Framework (SPFx) feature.
Late last year, I wrote about the trio of retirement notices that announced that the following services were going to get shut down in April 2026, including:
- Azure Access Control Service (ACS)
- SharePoint 2013 Workflows
- SharePoint Add-in Model (provider-hosted & SharePoint-hosted)
You can learn more about the timeline of these retirement notices from my article, SharePoint Add-in model retirement + other services unpacked.
So, what’s getting killed this week? 🤔
Normally, web parts are rendered within a DIV on the page. This means that all the calls from the web part originate from the same domain as the page they reside on.
However, when your web part obtains an access token to call a secured endpoint like the Microsoft Graph or another Microsoft Entra-secured endpoint, the permissions are granted to the entire tenant, not to your web part. Many developers and customers don’t realize this until it’s explicitly called out.
Why does it matter?
Consider if your web part needed the Mail.Write permission to send emails on the current user’s behalf. When you grant the Mail.Write permission, or any permission for that matter, you’re granting that permission to all client-side solutions in the tenant, not just your web part. You can read more about this in my article Beware of Declarative Permissions in SharePoint Framework Projects.
Isolated web parts addressed this concern by rendering the web part within an IFRAME on it’s own custom domain & using it’s own Microsoft Entra application. Now, permissions granted to the web part would be only available and accessible from the domain where the web part was rendered.
But now, we’re losing this feature… and the only recommendation from the announcement article is to migrate away from them. They do mention that they are “…working on to be announced features that offer an alternative strategy for domain isolated web parts…” in their announcement, but nothing more than that.
Personally, I find this disappointing
If the reason is because Microsoft doesn’t think IFRAMEs are good for page performance, then issue guidance, but don’t block customers from using a necessary feature. We don’t need big brother in SharePoint Online… if we did, someone would have stopped users from adding 10MB BMP’s or TIFF files to the homepage of the company intranet years ago!
But if it really is about IFRAMEs, then what about using Microsoft Teams tabs as web parts to SharePoint Online? Will those keep working?
I just finished working with two very large organizations in Europe who was only going to allow web parts that needed permissions to be deployed as isolated web parts. This retirement announcement already causing them to rethink their SPFx plans.
So, what should you do?
For now, I’d hold off doing anything other than taking an inventory of what isolated web part investments you’ve deployed to your environment. Part of the announcement includes a big PowerShell script you can use to generate two CSV files listing all the SharePoint packages that include isolated web parts and what pages they’re deployed to.
For now, I’d wait to see what they announce. I’ve asked Microsoft a bunch of questions trying to clarify a few points so we’ll see what they say. When I hear back, I’ll update the article associated with this week’s newsletter.
What do you think about this announcement?
Were you using isolated web parts?
Let me know in the comments below!