Viva Amplify: Retirement of high privilege access (HPA) for Teams distribution channel

Originally posted by Microsoft Nov 5, 2025 Uncategorized 0 Comments

Viva Amplify will retire High Privilege Access for Teams distribution, switching from App-only tokens to Protected Forwarded Tokens by November 2025. This enhances security without affecting user experience or requiring tenant configuration changes. No admin action is needed; update documentation and inform support teams accordingly.

Introduction

As part of Microsoft 365’s broader security initiative to deprecate High Privilege Access (HPA), Viva Amplify is transitioning from App tokens to post-transformed user Protected Forwarded Tokens (PFT) for the Teams distribution channel. This change enhances security by reducing the risk of token misuse and unauthorized access, aligning with Microsoft’s commitment to a more secure publishing experience across services.

Understanding key terms:

  • High privilege access (HPA) authentication grants first-party applications broad access to customer data in Microsoft 365. In some scenarios, HPA includes the ability to impersonate any user in Microsoft 365 and has proven susceptible to abuse and exploit. HPA deprecation is a Microsoft 365-wide security initiative to harden server-to-server (S2S) patterns such as app-only calls accessing customer content, and to move them to a constrained access model such as app+user. A call is considered HPA if it’s using app-only access to customer content that the caller does not own or manage.
  • Protected forwarded token (PFT) is a convertible token representing the authenticated user context (user claims or assertions) which can be transformed one way. Its primary purpose is to allow mid-tier services to accept a pre-transformed PFT token and send it to other services without the risk of the service replaying the token back to them.

When this will happen:

  • Targeted Release: Rollout begins in early November 2025; expected to complete by mid-November 2025.
  • General Availability: Rollout begins in mid-November 2025; expected to complete by late November 2025.

How this affects your organization:

What you can do to prepare:

  • No admin action is required.
  • Review and update any internal documentation or help resources that reference Viva Amplify’s publishing authentication model.
  • Communicate to helpdesk or support teams that no user-facing changes are expected.
  • Who is affected: Organizations using Viva Amplify to publish content via the Teams distribution channel.
  • What will happen:
    • Viva Amplify will stop using App-only tokens for Teams publishing.
    • The system will now use post-transformed user PFT tokens to authenticate publishing actions.
    • There is no change to the user experience in Teams.
    • No configuration changes are required for tenants.
    • Existing publishing workflows remain unaffected.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Message ID: MC1183011

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: