Category
stayInformed
Severity
normal
Major change
False
Last modified
2026-01-08 17:15:00
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-01-09 00:00:00
Services
SharePoint Online
Tags
Updated message, Feature update, Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, enabling MFA-compliant script execution via Entra app identities.
Similar updates
More like thisMC1184649 Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols
Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols SharePoint Online and OneDrive for Business will block legacy IDCRL authentication by default from Feb 16, 2026; permanent blocking takes effect May 1, 2026. [Introduction:] As part of the Microsoft Secure Future Initiative.
MC693863 (Updated) Azure ACS retirement in Microsoft 365
(Updated) Azure ACS retirement in Microsoft 365 Azure Access Control Services (ACS) retires for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra ID for authentication. ...n Microsoft 365 will retire and stop working 1 month from now (April 2, 2026)Since the first use of Azure Access Control Services.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats. Introduction As part of Microsoft’s .
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. Updated November 5, 2025: We have updated the timeline.
MC1171846 Microsoft Teams: Agent and bot support for Entra authentication in group chats
Microsoft Teams: Agent and bot support for Entra authentication in group chats Agents and bots in Teams group chats can now request Entra authentication, prompting users to install Teams or grant consent as needed; feature enabled by default starting November 3, 2025. Agents and bots in Microsoft Teams group chats will now be able to.
MC1193419 (Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
(Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from non-trusted sources and requiring remediation for non-compliant SPFx solutions. Updated March 13, 2026: We have updated the timeline..
Details
Summary
SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, even with MFA enforced. Available from version 16.0.26712.12000, it uses app identities registered in Microsoft Entra ID. Administrators must register apps, assign permissions, generate certificates, and update scripts accordingly.
Body (from Message Center)
Updated January 8, 2026: We have updated the content. Thank you for your patience.
[Introduction]
We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.
[When this will happen:]
This feature is now generally available. Minimum version of SPO Management Shell required for this is 16.0.26712.12000
[How this affects your organization:]
Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.
What will happen:
- Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
- This enables seamless execution of unattended scripts, even when MFA is enforced.
- We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.
[What you can do to prepare:]
Follow these one-time steps to register your app and enable certificate-based authentication:
- Step 1: Register the application in Microsoft Entra ID.
- Step 2: Assign API permissions to the application:
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
Sites.FullControl.AllApp-only scope. - We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
- You can assign permissions by:
- Selecting and assigning API permissions from the portal.
- Assigning admin role to the service principal in optional.
- Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
- Learn more: Step 2: Assign API permissions to the application
- Tenant Admin APIs allow App-Only permissions for SPO resources using the
- Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
- Step 4: Attach the certificate to the Microsoft Entra application.
Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-01-09T00:00:00Z",
"ai_actions": [
"Update SPO Management Shell to at least v16.0.26712.12000",
"Register an app in Entra ID",
"Assign API permissions",
"Attach a certificate",
"Update automation scripts to use app-only auth"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, enabling MFA-compliant script execution via Entra app identities.",
"ai_topics": [
"SharePoint",
"Entra"
],
"category": "stayInformed",
"details_map": {
"Summary": "SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation, even with MFA enforced. Available from version 16.0.26712.12000, it uses app identities registered in Microsoft Entra ID. Administrators must register apps, assign permissions, generate certificates, and update scripts accordingly."
},
"id": "MC1188595",
"importance": 4,
"is_major_change": false,
"last_modified": "2026-01-08T17:15:00Z",
"ms_products": [
"SharePoint"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"SharePoint Online"
],
"severity": "normal",
"tags": [
"Updated message",
"Feature update",
"Admin impact"
],
"title": "(Updated) App-only certificate-based authentication now available in SharePoint Online Management Shell"
}
}