MC1248389: Retirement of -Credential parameter when connecting to Exchange Online PowerShell

Home » Update » MC1248389: Retirement of -Credential parameter when connecting to Exchange Online PowerShell

Table of Contents

Summary
History
Microsoft Message
Introduction
When this will happen
How this affects your organization
What you can do to prepare
Additional information
Compliance considerations

Summary

The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell, affecting automation scripts that use it.
Organizations must migrate to supported authentication methods before upgrading to module versions released after the removal.
Alternatives include switching to modern authentication with MFA, using app-only authentication for non-Azure automation, or managed identity authentication for Azure automation.
No action is needed for organizations not using the -Credential parameter.
This change enhances security by eliminating legacy authentication methods that do not support multi-factor authentication.

Admin Impact: High
User Impact: Low
Release Start: 01 Jul 2026
Release End: 01 Jul 2026
Services: Exchange
Category: Plan for change
Tags: Admin Action, Retirement

History

3/10/2026 Item Added to Message Center

Microsoft Message

Introduction

Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).

When this will happen

The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.

How this affects your organization

Who is affected:

Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
Organizations with automation scripts that use the -Credential parameter

What will happen:

If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026.
No impact if your organization does not use the -Credential parameter

What you can do to prepare

If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario:
- Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
- Automation outside Azure: Use app-only authentication (certificate-based or client secret). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
- Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
Review internal documentation and communicate changes to admins
If you are not using the -Credential parameter, no action is required.

Additional information

This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later.

A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.

We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.

Compliance considerations

Compliance are: Conditional Access policies

Impact: Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections.