← Back
App-only certificate-based authentication now available in SharePoint Online Management Shell
MC1188595 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-11-21 00:14:52
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
SharePoint Online
Tags
Feature update, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication, enabling secure, unattended automation even with MFA enforced.

Similar updates

More like this
MC693863 (Updated) Azure ACS retirement in Microsoft 365
... Azure ACS will retire for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra IDSince the first use of Azure Access Control Services (ACS) by SharePoint in 2013, Microsoft has evolved the authorization and authentication options for SharePoint Online via Microsoft Entra ID (a.k.a. Azure AD). Using .
MC1184649 Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols
Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols Legacy IDCRL authentication in SharePoint Online and OneDrive for Business will be blocked by default on Jan 31, 2026, and permanently retired on May 1, 2026; migrate to modern authentication protocols. ...(SFI) and in.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra sign-in pages will enforce a stricter Content Security Policy in October 2026, blocking non-Microsoft scripts and injected code to enhance protection against XSS threats. Introduction As part of Microsoft’s Secure Future.
MC1186368 Microsoft SharePoint: Update to custom scripting governance in App Catalog site
Microsoft SharePoint: Update to custom scripting governance in App Catalog site Custom scripting will be disabled by default on SharePoint Online App Catalog sites starting mid-January 2026 to enhance security; app operations remain unaffected. To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom.
MC1193419 Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions SharePoint Online will enforce Content Security Policy on March 1, 2026, blocking scripts from non-trusted sources and requiring updates to custom SPFx solutions using untrusted or inline scripts. We’re improving ShareP... Set-SPOTenant.
MC1029989 Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026
Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026 In March 2026, Entra ID and Intune will retire the 'Require approved client app' Conditional Access control; switch to 'Require application protection policy' instead. As mentioned in MC540749, in March 2026, Microsoft Entra ID.

Details

Summary
SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation with MFA. Administrators can register apps in Microsoft Entra ID, assign API permissions, and use certificates to run scripts without user credentials, enhancing security and compliance.

Body (from Message Center)

[Introduction]

We are pleased to announce that SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication. This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.

[When this will happen:]

This feature is now generally available.

[How this affects your organization:]

Who is affected: SharePoint administrators and automation engineers using SharePoint Online Management Shell for scripting and automation.

What will happen:

  • Customers can now authenticate scripts using app identities registered in Microsoft Entra ID (formerly Azure AD), instead of user credentials.
  • This enables seamless execution of unattended scripts, even when MFA is enforced.
  • We expect most scenarios to work with App-Only authentication. However, there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials. Feel free to reach out to us if needed.

[What you can do to prepare:]

Follow these one-time steps to register your app and enable certificate-based authentication:

  1. Step 1: Register the application in Microsoft Entra ID.
  2. Step 2: Assign API permissions to the application:
    • Tenant Admin APIs currently support App-Only access only if they have the Sites.FullControl scope.
    • We are in the process of supporting more granular scopes for tenant APIs. For up-to-date information, refer to SharePoint Admin APIs Authentication and Authorization.
    • You can assign permissions by:
      • Selecting and assigning API permissions from the portal.
      • Modifying the app manifest to assign API permissions (required for Microsoft 365 GCC High and DoD organizations).
    • Learn more: Step 2: Assign API permissions to the application
  3. Step 3: Generate a self-signed certificate or obtain one from a certificate authority.
  4. Step 4: Attach the certificate to the Microsoft Entra application.

Once these steps are completed, update the Connect-SPOService line at the beginning of your scripts to use the app identity instead of user credentials. For examples, refer examples 7, 8, and 9 in this article: Connect-SPOService (Microsoft.Online.SharePoint.PowerShell).

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Register app in Entra ID",
      "Assign Sites.FullControl API permissions",
      "Generate and attach certificate",
      "Update scripts to use app identity"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "SharePoint Online Management Shell now supports App-Only Certificate-Based Authentication, enabling secure, unattended automation even with MFA enforced.",
    "ai_topics": [
      "SharePoint",
      "Entra"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "SharePoint Online Management Shell now supports app-only certificate-based authentication for secure, unattended automation with MFA. Administrators can register apps in Microsoft Entra ID, assign API permissions, and use certificates to run scripts without user credentials, enhancing security and compliance."
    },
    "id": "MC1188595",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-11-21T00:14:52Z",
    "ms_products": [
      "SharePoint"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "SharePoint Online"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "Admin impact"
    ],
    "title": "App-only certificate-based authentication now available in SharePoint Online Management Shell"
  }
}