(Updated) Retirement of -Credential parameter when connecting to Exchange Online PowerShell [MC1248389]

Message ID: MC1248389 (Updated)

Updated March 25, 2026: We have updated the second bullet in ‘What you can do to prepare’. Thank you for your patience. 

[Introduction]

Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).

[When this will happen:]

• The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
• A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.

[How this affects your organization:]

Who is affected:

• Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
• Organizations with automation scripts that use the -Credential parameter

What will happen:

• If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026.
• No impact if your organization does not use the -Credential parameter

What you can do to prepare:

• If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario:

• Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
• Automation outside Azure: Use app-only authentication (certificate-based). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
• Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
• Review internal documentation and communicate changes to admins

• If you are not using the -Credential parameter, no action is required.

Additional information

This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later.

A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.

We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.

[Compliance considerations:]

Compliance area	Impact
Conditional Access policies	Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections.

Source: Microsoft

<<< [MC1248389] Archive
Tooltip: View earlier revisions of this post

Latest Posts