I have a provider hosted Sharepoint Add-In that authenticates via Azure ACS, using the process that is currently outlined in the Microsoft documentation. I am aware that for a new tenant, add-ins that are developed in this way will not work out of the box, but will require the tenant admin to set DisableCustomAppAuthentication to false before they can be used (more info here https://docs.microsoft.com/en-us/answers/questions/90187/sharepoint-app-only-add-ins-throwing-401-unauthori.html).
I know that the recommended solution is to switch over the auth to use Azure Active Directory. I have set up an Active Directory application for this, however I am a little unclear about how to incorporate this into the add-in. The Sharepoint Add-in documentation has not been updated to highlight what config changes are required for the user to give permission to the new Azure Application during the install. I am also unsure if all add-ins should now be high-trust as the recommended auth in Azure Ad is certificate based. The documentation states that high-trust should be reserved for on-premises add-ins, with low-trust still being recommended for provider-hosted add-ins.
Has anyone gone through this process before? Is switching to use Azure Active Directory the best solution? How does one incorporate this into the Add-in? Any advice would be greatly appreciated.

