(Updated) App-only certificate-based authentication now available in SharePoint Online Management Shell [MC1188595]

Message ID: MC1188595 (Updated)

Updated January 8, 2026: We have updated the content. Thank you for your patience.

[Introduction]

We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.

[When this will happen:]

This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000

[How this affects your organization:]

Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.

What will happen:

• Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
• This enables seamless execution of unattended scripts, even when MFA is enforced.
• We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.

[What you can do to prepare:]

Follow these one-time steps to register your app and enable certificate-based authentication:

1. Step 1: Register the application in Microsoft Entra ID.
2. Step 2: Assign API permissions to the application:
   • Tenant Admin APIs allow App-Only permissions for SPO resources using the Sites.FullControl.All App-only scope.
   • We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
   • You can assign permissions by:
     • Selecting and assigning API permissions from the portal.
     • Assigning admin role to the service principal in optional.
     • Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
   • Learn more: Step 2: Assign API permissions to the application
3. Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
4. Step 4: Attach the certificate to the Microsoft Entra application.

Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Source: Microsoft

<<< [MC1188595] Archive
Tooltip: View earlier revisions of this post

Latest Posts