Microsoft Viva Amplify: HPA Deprecation

Microsoft Viva Amplify is transitioning from App tokens to Protected Forwarded Tokens (PFTs) for enhanced security. This change limits publication scheduling to 30 days in advance and affects token validity, requiring users to reschedule if tokens expire. No admin action is required, but documentation updates are recommended.

As part of the Microsoft 365-wide High Privilege Access (HPA) deprecation initiative, Viva Amplify is transitioning from App tokens to a more secure model using post-transformed user Protected Forwarded Tokens (PFTs). This change enhances security by reducing the risk of token misuse and unauthorized access in publishing scenarios.

[When this will happen:]

This change is rolling out now and is expected to reach 100% of Standard Release customers by early July 2025.

[How this affects your organization:]

With this update:

• Viva Amplify now limits how far in advance users can schedule publications—up to 30 days.
• If a user’s refresh token (PDF + POP) is expired or invalid, scheduled publishing will fail. In such cases, Viva Amplify will send a system-generated email prompting the user to reschedule via the app.

This change is part of a broader Microsoft 365 security initiative to move away from app-only access patterns (HPA) and toward constrained App+User models, reducing the risk of impersonation and data misuse.

[What you can do to prepare:]

No admin action is required. However, we recommend reviewing and updating any internal documentation or help content that references Viva Amplify’s scheduling or authentication behavior to reflect this change.

[Compliance considerations:]

• Alters how existing customer data is processed, stored, or accessed: Yes - The shift from App tokens to user PFTs changes how access to customer content is granted and validated, moving from app-only to App+User models.