MC1248389: Retirement of -Credential parameter when connecting to Exchange Online PowerShell
Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods with MFA or app-only/managed identity authentication to avoid disruptions. This enhances security by eliminating le...
[Introduction]
Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).
[When this will happen:]
- The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
- A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.
[How this affects your organization:]
Who is affected:
- Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
- Organizations with automation scripts that use the -Credential parameter
What will happen:
- If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026.
- No impact if your organization does not use the -Credential parameter
What you can do to prepare:
- If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario:
- Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
- Automation outside Azure: Use app-only authentication (certificate-based or client secret). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
- Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
- Review internal documentation and communicate changes to admins
- If you are not using the -Credential parameter, no action is required.
Additional information
This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later.
A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.
We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.
[Compliance considerations:]
| Compliance area | Impact |
| Conditional Access policies | Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections. |