M365 Archive
Back to latest version
You're viewing a historical snapshot from Nov 21, 2025. This is not the latest version.

Metadata at Nov 21, 2025

Message ID

MC1188595

View in Message Center

Published

Nov 21, 2025

Service

SharePoint Online

Tag

Feature update
Admin impact
View the latest version See what changed since this version

MC1188595 - App-only certificate-based authentication now available in SharePoint Online Management Shell

Message Center

What changed since this version

removed textadded text

Updated January 8, 2026: We have updated the content. Thank you for your patience.

Introduction

We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.

When this will happen:

This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000

How this affects your organization:

Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.

What will happen:

  • Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
  • This enables seamless execution of unattended scripts, even when MFA is enforced.
  • We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.

What you can do to prepare:

Follow these one-time steps to register your app and enable certificate-based authentication:

  1. Step 1: Register the application in Microsoft Entra ID.
  2. Step 2: Assign API permissions to the application:
    • Tenant Admin APIs currently supportallow App-Only access only if they havepermissions for SPO resources using the Sites.FullControlFullControl.All App-only scope.
    • We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
    • You can assign permissions by:
      • Selecting and assigning API permissions from the portal.
      • Assigning admin role to the service principal in optional.
      • Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
    • Learn more: Step 2: Assign API permissions to the application
  3. Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
  4. Step 4: Attach the certificate to the Microsoft Entra application.

Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Snapshot from Nov 21, 2025

Introduction

We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.

When this will happen:

This feature is now generally available.

How this affects your organization:

Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.

What will happen:

  • Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
  • This enables seamless execution of unattended scripts, even when MFA is enforced.
  • We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.

What you can do to prepare:

Follow these one-time steps to register your app and enable certificate-based authentication:

  1. Step 1: Register the application in Microsoft Entra ID.
  2. Step 2: Assign API permissions to the application:
    • Tenant Admin APIs currently support App-Only access only if they have the Sites.FullControl scope.
    • We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
    • You can assign permissions by:
      • Selecting and assigning API permissions from the portal.
      • Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
    • Learn more: Step 2: Assign API permissions to the application
  3. Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
  4. Step 4: Attach the certificate to the Microsoft Entra application.

Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.