Review the update and plan any required actions before rollout.
Primary Audience
Why this score?
AT A GLANCE
END USERS
IT ADMINS
ROLLOUT TIMELINE
December 2026
📢 Official Microsoft Message Center Announcement
(Updated) Retirement of -Credential parameter when connecting to Exchange Online PowerShell
Message ID: MC1248389 (Updated)
Updated July 15, 2026: We have updated the timeline. Thank you for your patience.
[Introduction]
Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in December 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).
[When this will happen:]
- The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning end of year 2026 (previously July).
- A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.
[How this affects your organization:]
Who is affected:
- Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
- Organizations with automation scripts that use the -Credential parameter
What will happen:
- If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning December 2026.
- No impact if your organization does not use the -Credential parameter
What you can do to prepare:
- If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until December 2026. Choose the appropriate alternative based on your scenario:
- Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
- Automation outside Azure: Use app-only authentication (certificate-based). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
- Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
- Review internal documentation and communicate changes to admins
- If you are not using the -Credential parameter, no action is required.
Additional information
This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before December 2026. The -Credential parameter will only be removed when you upgrade to a module version released in December 2026 and later.
A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.
We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.
[Compliance considerations:]
| Compliance area | Impact |
| Conditional Access policies | Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections. |
Source: Microsoft Message Center • Analysed by MWPro
<<< [MC1248389] Archive
Tooltip: View earlier revisions of this post
Latest Posts
- Amazon CloudWatch Logs announces intelligent tiering for storage
- Amazon Cognito now supports importing users with password hashes

- MC1429012: Microsoft Teams Adds Call Lock and Delegate Join Notifications for Delegated Calling

- MC1429024: Dynamics 365 Customer Service Adds After-Conversation Work Presence for Representatives



