Exchange Online PowerShell to Retire -Credential Parameter

Microsoft is retiring the -Credential parameter in the Exchange Online PowerShell module, effective for all versions released after June 2026. This change marks a shift toward modern, more secure authentication methods for administrators.

In the Exchange Online PowerShell module, the -Credential parameter lets administrators pass a PSCredential object (username and password) to the Connect-ExchangeOnline cmdlet so the session can authenticate without an interactive sign-in. Previously, this relied on the Resource Owner Password Credentials (ROPC) OAuth flow, which treats the provided credentials as the sole factor and doesn’t satisfy multi‑factor authentication (MFA) or Conditional Access policies.

Exchange Online moves to enforce MFA-aligned authentication

Microsoft mentioned that the -Credential parameter will remain functional in currently available Exchange Online PowerShell modules up until June 2026. After this date, any newly released module will exclude this parameter entirely.

“The -Credential parameter in Exchange Online PowerShell relies on ROPC, and therefore cannot meet MFA or Conditional Access requirements. To align with MFA enforcement, modern authentication principles, and Microsoft’s broader security standards, support for the -Credential parameter will be removed from new Exchange Online PowerShell versions released after June 2026,” the Exchange team explained.

What administrators need to know?

According to Microsoft, this change aligns with its broader effort to enforce modern, secure authentication methods across all cloud services. MFA is becoming mandatory, and ROPC is no longer acceptable for secure access. The Microsoft Authentication Library (MSAL) has already deprecated ROPC starting with version 4.74.0, which further drives the need to retire the parameter.

Microsoft advises organizations moving to modern authentication methods by choosing the option that fits each workflow: administrators who sign in manually should use Interactive Sign‑In, which supports MFA and aligns with current security requirements; automation that runs outside Azure should adopt App‑Only Authentication, which allows secure, certificate‑ or secret‑based access without user interaction; and Azure‑hosted automation should use Managed Identity Authentication, which removes the need for stored credentials entirely and offers a more secure, cloud‑native approach.