(Updated) Retirement of -Credential parameter when connecting to Exchange Online PowerShell

🚨 The Signal: Microsoft is removing the -Credential parameter from Exchange Online PowerShell cmdlets by December 2026. This mandates migration to modern authentication for scripts, enhancing security by enforcing MFA and deprecating legacy authentication methods.

The Impact

Microsoft 365 administrators and automation scripts using legacy credentials are at risk of operational disruption and reduced security posture if not updated.

  • Admins: PowerShell scripts will break if not updated.
  • Automation: Automated tasks will fail without modern auth.
  • Security Teams: Legacy auth removal improves overall posture.
  • Organisations: Risk of service disruption if not addressed.

The Action

  1. Identify all PowerShell scripts using -Credential for Exchange Online or Security & Compliance PowerShell.
  2. Update scripts to use Connect-ExchangeOnline with certificate-based authentication or managed identities.
  3. Implement Azure AD app registrations with appropriate permissions for script execution.
  4. Test updated scripts thoroughly in a non-production environment.
  5. Plan for full migration before December 2026 to avoid service disruption.

Domain: Exchange · Impact: high · Workload: Exchange Online · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907