check before: 2026-07-01
Product:
Entra, Exchange, Microsoft 365 Apps
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:
Details:
Summary:
Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods like MFA, app-only, or managed identity authentication to avoid disruption. This enhances security by eliminating legacy authentication.
Details:
Updated March 25, 2026: We have updated the second bullet in 'What you can do to prepare'. Thank you for your patience.
[Introduction]
Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).
[When this will happen:]
The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-03-17
updated:
2026-04-01
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Script Breakage
Automation scripts using the -Credential parameter will fail after the retirement, leading to potential disruptions in scheduled tasks and processes.
- roles: Microsoft 365 Administrators, IT Support Staff
- references: https://learn.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps, https://techcommunity.microsoft.com/blog/exchange/deprecation-of-the--credential-parameter-in-exchange-online-powershell/4494584
Increased Security Risks
Without migration to modern authentication, organizations may inadvertently expose themselves to security vulnerabilities due to reliance on legacy authentication methods.
- roles: Security Administrators, Compliance Officers
- references: https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps, https://learn.microsoft.com/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps
User Experience Disruption
Users relying on automated scripts for daily tasks may experience delays or failures in operations, impacting productivity and user satisfaction.
- roles: End Users, Business Analysts
- references: https://learn.microsoft.com/powershell/module/exchangepowershell/connect-exchangeonline?view=exchange-ps, https://learn.microsoft.com/powershell/module/exchangepowershell/connect-ippssession?view=exchange-ps
Compliance Issues
Retirement of the -Credential parameter may lead to non-compliance with Conditional Access policies if organizations do not adapt their authentication methods accordingly.
- roles: Compliance Officers, IT Security Managers
- references: https://learn.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps, https://techcommunity.microsoft.com/blog/exchange/deprecation-of-the--credential-parameter-in-exchange-online-powershell/4494584
Increased Support Requests
The change may lead to a surge in support requests from users facing issues with broken scripts, straining IT support resources.
- roles: IT Support Staff, Help Desk Technicians
- references: https://learn.microsoft.com/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps, https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-04-01 | MC Messages | [Introduction]
Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA). [When this will happen:] The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026. A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance. | Updated March 25, 2026: We have updated the second bullet in 'What you can do to prepare'. Thank you for your patience.
[Introduction] Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA). [When this will happen:] The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026. A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance. |
| 2026-04-01 | MC Last Updated | 03/25/2026 17:14:37 | 2026-03-31T20:04:06Z |
| 2026-03-26 | MC Last Updated | 03/10/2026 23:47:01 | 2026-03-25T17:14:37Z |
| 2026-03-26 | MC Title | Retirement of -Credential parameter when connecting to Exchange Online PowerShell | (Updated) Retirement of -Credential parameter when connecting to Exchange Online PowerShell |
| 2026-03-26 | MC How Affect | Who is affected:
Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell Organizations with automation scripts that use the -Credential parameter What will happen: If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026. No impact if your organization does not use the -Credential parameter What you can do to prepare: If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario: Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell. Automation outside Azure: Use app-only authentication (certificate-based or client secret). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell. Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell. Review internal documentation and communicate changes to admins If you are not using the -Credential parameter, no action is required. Additional information This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later. A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect. We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post. [Compliance considerations:] Compliance areaImpact Conditional Access policiesRetiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections. | Who is affected:
Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell Organizations with automation scripts that use the -Credential parameter What will happen: If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026. No impact if your organization does not use the -Credential parameter What you can do to prepare: If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario: Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell. Automation outside Azure: Use app-only authentication (certificate-based). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell. Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell. Review internal documentation and communicate changes to admins If you are not using the -Credential parameter, no action is required. Additional information This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later. A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect. We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post. [Compliance considerations:] Compliance areaImpact Conditional Access policiesRetiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections. |
| 2026-03-26 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
| 2026-03-26 | MC Summary | Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods with MFA or app-only/managed identity authentication to avoid disruptions. This enhances security by eliminating legacy authentication. | Microsoft will retire the -Credential parameter in Exchange Online PowerShell cmdlets starting July 2026, requiring organizations to migrate scripts to modern authentication methods like MFA, app-only, or managed identity authentication to avoid disruption. This enhances security by eliminating legacy authentication. |
Last updated 2 weeks ago ago
