Blog Post

Exchange Team Blog
2 MIN READ

Deprecation of the -Credential Parameter in Exchange Online PowerShell

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Feb 12, 2026

As part of our continued commitment to strengthening security across Exchange Online, we want to inform our customers about an important change coming to the Exchange Online PowerShell module.

What’s changing and why

Microsoft is progressively moving all services toward more secure, modern authentication experiences. As part of this shift, multi-factor authentication (MFA) is being made a mandatory security requirement across Microsoft cloud services. Because the legacy Resource Owner Password Credentials (ROPC) authentication flow does not support MFA, it is on the path toward deprecation as Microsoft strengthens its security baselines. Additionally, the Microsoft Authentication Library (MSAL) that supports authentication across Microsoft services has deprecated ROPC starting with version 4.74.0.

The -Credential parameter in Exchange Online PowerShell relies on ROPC, and therefore cannot meet MFA or Conditional Access requirements. To align with MFA enforcement, modern authentication principles, and Microsoft’s broader security standards, support for the -Credential parameter will be removed from new Exchange Online PowerShell versions released after June 2026.

While our published timeline extends to June 2026, we strongly recommend that all customers transition away from the -Credential parameter as soon as possible and not wait until the deadline.

Alternatives for the -Credential parameter

Below is a list of supported alternatives for the -Credential parameter that you should adopt depending on their scenario:

Scenario / Use Case

Recommended Authentication Method

Description

Documentation

Admins connecting interactively

Interactive Sign‑In (Modern Auth + MFA)

Secure sign-in for human administrators; supports MFA and Conditional Access.

Connect to Exchange Online PowerShell | Microsoft Learn

Automation running outside Azure

App‑Only Authentication

Certificate‑based or secret‑based app registration for non‑interactive automation.

App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft Learn

Automation running in Azure services

Managed Identity Authentication

Ideal for Functions, Automation Accounts, and cloud-native tasks. Eliminates secrets entirely.

Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn

Timeline

  • Current state: the -Credential parameter continues to function today and will continue to function in all modules released till end of June 2026.
  • Recommended action (effective immediately): you should begin migrating away from the -Credential parameter use while connecting to Exchange Online using the Connect-ExchangeOnline cmdlet
  • After June 2026: new versions of the Exchange Online PowerShell modules released post 2026 will no longer include support for the -Credential parameter.

If you encounter any gaps or unsupported scenarios with the alternative authentication flows, please share them in the Comments section so we can prioritize addressing them in future updates.

Exchange Online Management Team

Published Feb 12, 2026
Version 1.0
administration
announcements
exchange online
protocols
scripting
security
tips 'n tricks
tools

2 Comments

  • VasilMichev's avatar
    VasilMichev
    MVP
    Feb 12, 2026

    So, just to clarify, is this a client-side change then? Will older versions of the module still work with -Credentials, or are you going to block ROPC service-side at some point?

    WRT to supported scenarios, there are few cmdlets that do not work with application context/MSI. What will be the alternative to manage those?

    Also, what about the SCC cmdlets/connectivity method?

    • Nino_Bilic's avatar
      Nino_Bilic
      Icon for Microsoft rankMicrosoft
      Feb 12, 2026

      I'll answer the first part of your question, Vasil (other parts someone else will). The changes made here are both client and service side:

      • Yes, PowerShell modules starting with the version specified will not have that parameter, and you could after that day still use the older PS version with the Credential parameter. So yes, this is a client-side change.
      • Also yes, there will be a service side change which will eventually break this no matter which client (PS version) you use on client side. And that change is the overall deprecation of ROPC flow. Once that goes, it's gone. Once that service change is made, no matter which version you have client side, the parameter will not work.