![App-only certificate-based authentication now available in SharePoint Online Management Shell [MC1188595]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-bess-hamiti-83687-36487-1024x683.webp "App-only certificate-based authentication now available in SharePoint Online Management Shell [MC1188595] 1")
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available.
[How this affects your organization:]
Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.
What will happen:
- Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
- This enables seamless execution of unattended scripts, even when MFA is enforced.
- We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.
[What you can do to prepare:]
Follow these one-time steps to register your app and enable certificate-based authentication:
- Step 1: Register the application in Microsoft Entra ID.
- Step 2: Assign API permissions to the application:
- Tenant Admin APIs currently support App-Only access only if they have the
Sites.FullControlscope. - We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
- You can assign permissions by:
- Selecting and assigning API permissions from the portal.
- Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
- Learn more: Step 2: Assign API permissions to the application
- Tenant Admin APIs currently support App-Only access only if they have the
- Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
- Step 4: Attach the certificate to the Microsoft Entra application.
Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Source: Microsoft
Latest Posts
- Amazon GameLift Servers expands instance support with next-generation EC2 instance families
- (Updated) Microsoft 365 Copilot: Customize how managers are identified in Workforce Insights agent and Copilot responses [MC1260710]
- (Updated) Microsoft 365 Copilot: Create and view Outlook rules [MC1223821]
- (Updated) Microsoft 365 Copilot: Email triage with pin, flag, archive, and mark read [MC1193695]
![Updates available for Microsoft 365 Apps for Current Channel [MC1188610]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-steve-14003554-96x96.webp "Updates available for Microsoft 365 Apps for Current Channel [MC1188610] 6")
