check before: 2025-11-21
Product:
Entra, SharePoint
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, even with MFA enforced. Available from version 16.0.26712.12000, it uses app identities registered in Microsoft Entra ID. Administrators must register apps, assign permissions, generate certificates, and update scripts accordingly.
Details:
Updated January 8, 2026: We have updated the content. Thank you for your patience.
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-21
updated:
2026-01-09
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failure
If administrators do not prepare for the transition to app-only certificate-based authentication, they may face authentication failures when running automation scripts that require user credentials, leading to disruptions in automated processes.
- roles: SharePoint Administrators, Automation Engineers
- references: https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-enra-id, https://learn.microsoft.com/powershell/module/microsoft.online.sharepoint.powershell/connect-sposervice?view=sharepoint-ps
Increased Security Risks
Without proper preparation, the transition may lead to misconfigured permissions or unregistered applications, increasing the risk of unauthorized access or security breaches in the SharePoint environment.
- roles: SharePoint Administrators, Security Officers
- references: https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application, https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-3-generate-a-self-signed-certificate
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
SharePoint Online Management Shell has introduced a new way to authenticate scripts using app-only certificate-based authentication. This means that instead of using personal user credentials, scripts can now use app identities registered in Microsoft Entra ID (formerly known as Azure AD). This is particularly useful in environments where Multi-Factor Authentication (MFA) is required, as it allows for secure, unattended automation.
Think of this change like using a key card to access a building instead of needing to type in a password every time you enter. The key card (or in this case, the app identity) allows you to get in without needing to be physically present to type in your credentials. This makes it easier to run scripts automatically, without needing someone to manually log in each time.
To start using this new method, administrators need to register their application in Microsoft Entra ID, assign the necessary permissions, and generate a certificate. This certificate acts like a digital key, ensuring that only authorized scripts can run. Once set up, scripts need to be updated to use this new method of authentication.
This change is designed to improve security and efficiency, allowing scripts to run smoothly even when MFA is enforced. However, there might be some rare cases where a specific API requires a user token for security reasons. In such situations, administrators may need to use traditional methods with user credentials.
Overall, this update is about making the process of running scripts more secure and efficient, much like upgrading from a password system to a key card system in a secure building.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-01-09 | MC prepare | Follow these one-time steps to register your app and enable certificate-based authentication:
Step 1: Register the application in Microsoft Entra ID. Step 2: Assign API permissions to the application: Tenant Admin APIs currently support App-Only access only if they have the Sites.FullControl scope. We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization. You can assign permissions by: Selecting and assigning API permissions from the portal. Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations). Learn more: Step 2: Assign API permissions to the application Step 3: Generate a self-signed certificate or obtain one from a certificate authority. Step 4: Attach the certificate to the Microsoft Entra application. Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell). [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-3-generate-a-self-signed-certificate https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-4-attach-the-certificate-to-the-microsoft-entra-application https://learn.microsoft.com/powershell/module/microsoft.online.sharepoint.powershell/connect-sposervice?view=sharepoint-ps | Follow these one-time steps to register your app and enable certificate-based authentication:
Step 1: Register the application in Microsoft Entra ID. Step 2: Assign API permissions to the application: Tenant Admin APIs allow App-Only permissions for SPO resources using the Sites.FullControl.All App-only scope. We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization. You can assign permissions by: Selecting and assigning API permissions from the portal. Assigning admin role to the service principal in optional. Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations). Learn more: Step 2: Assign API permissions to the application Step 3: Generate a self-signed certificate or obtain one from a certificate authority. Step 4: Attach the certificate to the Microsoft Entra application. Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell). [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-3-generate-a-self-signed-certificate https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-4-attach-the-certificate-to-the-microsoft-entra-application https://learn.microsoft.com/powershell/module/microsoft.online.sharepoint.powershell/connect-sposervice?view=sharepoint-ps |
| 2026-01-09 | MC Summary | SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation with MFA. Administrators can register apps in Microsoft Entra ID, assign API permissions, and use certificates to run scripts without user credentials, enhancing security and compliance. | SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, even with MFA enforced. Available from version 16.0.26712.12000, it uses app identities registered in Microsoft Entra ID. Administrators must register apps, assign permissions, generate certificates, and update scripts accordingly. |
| 2026-01-09 | MC Last Updated | 11/21/2025 01:14:52 | 2026-01-08T18:15:00Z |
| 2026-01-09 | MC Messages | [Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency. [When this will happen:] This feature is now generally available. | Updated January 8, 2026: We have updated the content. Thank you for your patience.
[Introduction] We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency. [When this will happen:] This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000 |
| 2026-01-09 | MC Title | App-only certificate-based authentication now available in SharePoint Online Management Shell | (Updated) App-only certificate-based authentication now available in SharePoint Online Management Shell |
| 2026-01-09 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
Last updated 1 week ago ago
