Thanks @atupal, we received the same response from Microsoft yesterday and confirms it is working like a charm after enabling the tenant scoped property.
Recommend using Azure AD app-only model which is modern and securer
Our application is a multi-tenant application registered in AAD but due to the current permission scopes for SharePoint like “All Site Collections” how can this be more safe?`
What is the real “security concerns” behind this undocumented change by Microsoft?
Are there plans to provide “per site collection” level scopes to help tell a better story to the concerned InfoSec Team at customers. Today we can only tell them to trust that the application don’t misuse the All Site Collection level scope and start harvest information from e.g. OneDrive and other site collections on behalf of the user using the application?
It will not be a problem technically to change our application but the resistant from customers will be high when they now have to accept “Read and Write for All site collection” just because we allow uploading files into e.g. a document library on the site collection with our app installed. But when it is disabled by default we now need to start the whole installation process by convincing the customer that it is OK to enable it and for sure this is not gonna be easy – just remember when customer scripting was disabled by default for modern sites.
What are others thinking of this change and any insights of the long term plans from Microsoft on their permission scopes?