Exchange Online PowerShell Drops -Credential Support as MFA Push Continues

Microsoft is deprecating the -Credential parameter in Exchange Online PowerShell, marking another step in its push toward stronger cloud security.

According to a report from Neowin, Microsoft is removing the parameter because it relies on the legacy Resource Owner Password Credentials (ROPC) authentication flow.

Why Microsoft Is Removing -Credential

The ROPC flow does not support multi-factor authentication (MFA). This directly conflicts with Microsoft’s broader enforcement of stricter security baselines across Microsoft 365 services.

Microsoft has already begun requiring Microsoft 365 administrators to enable MFA or risk losing access. Removing the -Credential parameter aligns with that policy and eliminates reliance on outdated authentication methods.

Support for -Credential will continue until June 2026. After that deadline, Microsoft will fully remove it from the Exchange Online PowerShell module.

Organizations that continue using the parameter beyond that date risk script failures, automation breakdowns, and administrative access issues.

Recommended Alternatives for Administrators

Microsoft advises administrators to stop using -Credential immediately when connecting with the Connect-ExchangeOnline cmdlet.

For interactive access, the company recommends Modern Authentication with MFA using standard interactive sign-in.

For automation scenarios outside Azure, App-Only Authentication with certificate-based or secret-based app registrations serves as the preferred replacement.

For automation inside Azure services such as Functions or Automation Accounts, Managed Identity authentication removes the need to store credentials or secrets altogether.

Part of a Broader Security Shift

The deprecation fits into Microsoft’s wider effort to retire legacy authentication protocols and enforce MFA across its cloud ecosystem.

In related news, Exchange Web Services (EWS) retirement will begin later this year, with EWS for Exchange Online scheduled to fully shut down in 2027. Administrators should begin migrating to supported APIs and authentication methods to avoid service disruptions.

Microsoft urges organizations to transition now to ensure uninterrupted scripts, workflows, and administrative processes in Exchange Online.