Microsoft 365 Message Center item MC1248389
MC1248389 - (Updated) Retirement of -Credential parameter when connecting to Exchange Online PowerShell
Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods like MFA, app-only, or managed identity authentication to avoid disruption. This enhances security by eliminating legacy authentication.
- Message Center ID
- MC1248389
- Category
- plan For Change
- Severity
- normal
- Services
- Exchange Online
- Tags
- Updated message, Admin impact, Retirement
- Published
- 2026-03-10
- Last updated
- 2026-03-31
- Expires
- 2026-11-29
Updated March 25, 2026: We have updated the second bullet in 'What you can do to prepare'. Thank you for your patience. [Introduction] Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA). [When this will happen:] The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026. A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance. [How this affects your organization:] Who is affected: Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell Organizations with automation scripts that use the -Credential parameter What will happen: If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026. No impact if your organization does not use the -Credential parameter What you can do to prepare:If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario: Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.Automation outside Azure: Use app-only authentication (certificate-based). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.Review internal documentation and communicate changes to admins If you are not using the -Credential parameter, no action is required.Additional information This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later. A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect. We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.[Compliance considerations:] Compliance area Impact Conditional Access policies Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections.