@svermaak_MGL unfortunately my MS Support case spiraled, went nowhere and was closed with this guidance:

"As I have got the answer from my resources and we request you please use the following command ‘Connect-ExchangeOnline’ for future as both are global commands and nothing can we change. I am apologize for this.. 

We have a new preview version of the ExchangeOnlineManagement module that support the legacy Get-Mailbox without need for Basic Authentication through ‘Connect-ExchangeOnline’.

Please follow the link for more information.

Exchange Online PowerShell v2 Module Preview – Now More Secure - Microsoft Tech Community

Please let me know if you have further questions/any update on this."

I did respond and said that Connect-ExchangeOnline is not an alternative to nor a replacement for Connect-IPPSSession and mentioned that it was the EXO Cmdlets preview feedback email team who advised for MS Support cases to be opened to request the feature, and that clearly this case did not get received well.

For now, giving up, moving, using Basic Authentication against Connect-IPPSSession until whenever it's possible to not do this.

@Jeremy Bradshaw, yeah, mine went back am forth too but I managed to get a workaround without the ticket. Just before you get your hopes up, my issue was a bit different to yours and I managed to get it working with in Azure Function App

Connect-IPPSSession -Credential $RunAs -ConnectionUri "https://ps.compliance.protection.outlook.com/powershell-liveid/";
$sessions = Get-PSSession;
Import-Module (Import-PSSession $sessions[$sessions.Count - 1] -AllowClobber) -Global
$retentionPolicy = Get-RetentionCompliancePolicy -Identity $retensionPolicyName -DistributionDetail;

What also helped me was I added this to the ExchangeOnlineManagement.psm1 file, around line 611

process {
        try {
            $EOPConnectionInProgress = $true
            if ($isCloudShell -eq $false) {
                Write-Host "Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -UserPrincipalName $UserPrincipalName.Value -PSSessionOption $PSSessionOption -Credential $Credential.Value -BypassMailboxAnchoring:$BypassMailboxAnchoring -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true"
                Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -UserPrincipalName $UserPrincipalName.Value -PSSessionOption $PSSessionOption -Credential $Credential.Value -BypassMailboxAnchoring:$BypassMailboxAnchoring -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true
            } else {
                Write-Host "Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -PSSessionOption $PSSessionOption -BypassMailboxAnchoring:$BypassMailboxAnchoring -Device:$Device.Value -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true;"
                Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -PSSessionOption $PSSessionOption -BypassMailboxAnchoring:$BypassMailboxAnchoring -Device:$Device.Value -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true
            }
        } finally {
            $EOPConnectionInProgress = $false
        }
    }

This outputs the underlying command Connect-IPPSSession actually executes

@Jhosefer , @svermaak_MGL , @dgal73 , @Victor Ivanidze Hi all,

I forgot to share something that was provided to me by Chris D on GitHub (I think, but sort of forget) MS Support.  Right now, the Connect-IPPSSession which supports certificate based app-only authentication is only within the preview modules 2.0.6***.  If we want to accomplish the same thing, but using the current GA 2.0.5, we can use Connect-ExchangeOnline and simply supply the -ConnectionUri parameter with the URL to the SCC:

Connect-ExchangeOnline -AppId e3de3805-2f5a-43c7-8541-b448b50936f4 -Organization MyTenant.onmicrosoft.com -Certificate (Get-ChildItem cert:\CurrentUser\My\98556EEAC704460287C809AEDA9CD3A33A9CAA9B) -ConnectionUri 'https://ps.compliance.protection.outlook.com'

... and it works flawlessly!  I can't find this documented as supported, however, I do feel better using this approach in production scripts for clients, vs using the prerelease module versions.  Hope you find it helpful!

@Jhosefer I think the main reason it's not documented is that it's still up in the air as to what will be the path forward (i.e., this solution I've shared, vs keeping/updating Connect-IPPSSession alive as its own cmdlet vs demoting it to be just an alias of the Connect-ExchangeOnline cmdlet).  I'm definitely speculating here and do not have the internal answers but from my poking and prodding here and over on GitHub, it's my best guess.

In another GitHub issue, Chris also pointed out this same trick, while it works with the preview 2.0.6*** versions, since those versions default to non-RPS, we have to supply the -UseRPSSession switch.  So again, not quite ready to be documented while things are in between current GA and final target state.