Services
Summary
Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods like MFA, app-only, or managed identity authentication to avoid disruption. This enhances security by eliminating legacy authentication.
Details
Updated March 25, 2026: We have updated the second bullet in 'What you can do to prepare'. Thank you for your patience.
Introduction
Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).
When this will happen:
- The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
- A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.
How this affects your organization:
Who is affected:
- Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
- Organizations with automation scripts that use the -Credential parameter
What will happen:
- If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026.
- No impact if your organization does not use the -Credential parameter
What you can do to prepare:
- If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario:
- Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
- Automation outside Azure: Use app-only authentication (certificate-based). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
- Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
- Review internal documentation and communicate changes to admins
- If you are not using the -Credential parameter, no action is required.
Additional information
This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later.
A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.
We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.
Compliance considerations:
| Compliance area | Impact |
| Conditional Access policies | Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections. |