MC1248389 - Retirement of -Credential parameter when connecting to Exchange Online PowerShell

Introduction

Microsoft is retiring the -Credential parameter used when connecting to Exchange Online PowerShell. Starting with module versions released in July 2026 and later, the -Credential parameter will be removed from both Connect-ExchangeOnline and Connect-IppsSession cmdlets. Organizations using this parameter in automation scripts must migrate to a supported authentication method before that date. This change improves security by moving away from legacy authentication methods that do not support modern protections such as multifactor authentication (MFA).

When this will happen:

• The -Credential parameter will be removed from Connect-ExchangeOnline and Connect-IppsSession cmdlets in Exchange Online PowerShell module versions released beginning July 2026.
• A separate server-side retirement of the underlying authentication flow is planned for a later date and will be communicated in advance.

How this affects your organization:

Who is affected:

• Microsoft 365 administrators using Exchange Online or Security & Compliance PowerShell
• Organizations with automation scripts that use the -Credential parameter

What will happen:

• If your organization uses the -Credential parameter in PowerShell scripts or automation workflows connecting to Exchange Online or Security & Compliance PowerShell, those scripts will break when you update to an Exchange Online PowerShell module version released beginning July 2026.
• No impact if your organization does not use the -Credential parameter

What you can do to prepare:

• If you are using the -Credential parameter, begin migrating your scripts now. Do not wait until July 2026. Choose the appropriate alternative based on your scenario:

• Interactive admin access: Switch to modern authentication with MFA. Learn more: Connect to Exchange Online PowerShell.
• Automation outside Azure: Use app-only authentication (certificate-based or client secret). Learn more: App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell.
• Automation within Azure: Use managed identity authentication (no secrets required). Learn more: Use Azure managed identities to connect to Exchange Online PowerShell.
• Review internal documentation and communicate changes to admins

• If you are not using the -Credential parameter, no action is required.

Additional information

This change is currently client-side only and will not take effect automatically. Your existing scripts will continue to work if you continue using an Exchange Online PowerShell module version released before July 2026. The -Credential parameter will only be removed when you upgrade to a module version released in July 2026 and later.

A separate server-side retirement of the Credential parameter authentication flow is planned for a later date. When that occurs, the -Credential parameter will stop functioning even on older module versions. Microsoft will communicate that timeline separately and provide advance notice before any service-side changes take effect.

We strongly recommend migrating proactively rather than waiting, to avoid disruption when either change occurs. If you have questions or concerns, contact Microsoft Support or leave a comment on the Exchange Team Blog post.

Compliance considerations:

Compliance area	Impact
Conditional Access policies	Retiring the -Credential parameter removes use of the ROPC authentication flow and enables enforcement of Conditional Access and multifactor authentication for Exchange Online PowerShell connections.