Summary
Details
Updated January 8, 2026: We have updated the content. Thank you for your patience.
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000
[How this affects your organization:]
Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.
What will happen:
- Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
- This enables seamless execution of unattended scripts, even when MFA is enforced.
- We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.
[What you can do to prepare:]
Follow these one-time steps to register your app and enable certificate-based authentication:
- Step 1: Register the application in Microsoft Entra ID.
- Step 2: Assign API permissions to the application:
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
Sites.FullControl.AllApp-only scope. - We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
- You can assign permissions by:
- Selecting and assigning API permissions from the portal.
- Assigning admin role to the service principal in optional.
- Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
- Learn more: Step 2: Assign API permissions to the application
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
- Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
- Step 4: Attach the certificate to the Microsoft Entra application.
Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Change History
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available.
[How this affects your organization:]
Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.
What will happen:
- Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
- This enables seamless execution of unattended scripts, even when MFA is enforced.
- We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.
[What you can do to prepare:]
Follow these one-time steps to register your app and enable certificate-based authentication:
- Step 1: Register the application in Microsoft Entra ID.
- Step 2: Assign API permissions to the application:
- Tenant Admin APIs currently support App-Only access only if they have the
Sites.FullControlscope. - We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
- You can assign permissions by:
- Selecting and assigning API permissions from the portal.
- Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
- Learn more: Step 2: Assign API permissions to the application
- Tenant Admin APIs currently support App-Only access only if they have the
- Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
- Step 4: Attach the certificate to the Microsoft Entra application.
Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Updated January 8, 2026: We have updated the content. Thank you for your patience.
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000
[How this affects your organization:]
Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.
What will happen:
- Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
- This enables seamless execution of unattended scripts, even when MFA is enforced.
- We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.
[What you can do to prepare:]
Follow these one-time steps to register your app and enable certificate-based authentication:
- Step 1: Register the application in Microsoft Entra ID.
- Step 2: Assign API permissions to the application:
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
Sites.FullControl.AllApp-only scope. - We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
- You can assign permissions by:
- Selecting and assigning API permissions from the portal.
- Assigning admin role to the service principal in optional.
- Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
- Learn more: Step 2: Assign API permissions to the application
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
- Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
- Step 4: Attach the certificate to the Microsoft Entra application.
Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Never Miss a Microsoft 365 Update
Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.