Englisch + German / English / Microsoft 365

SharePoint Online Management Shell now supports app-only authentication

22. November 2025

The SharePoint Online Management Shell now supports app-only authentication with a certificate. This update enables secure, unattended automation using app identities in Microsoft Entra ID, especially useful in environments enforcing Multi-Factor Authentication (MFA).

Timeline

App-only authentication in SharePoint Online Management Shell is already available.

How does this affect administrators?

Administrators and PowerShell scripts can now use app identities registered in Microsoft Entra ID to authenticate with SharePoint Online Management Shell, instead of user credentials.
Previously, admins had to rely on PnP PowerShell for (unattended) app-only authentication because the SharePoint Online Management Shell did not support it. This update finally enables seamless execution of unattended scripts, even when MFA is enforced.

Some findings from my tests:

  • App permissions

In the current release, app-based authentication only supports the permission SharePoint – Sites.FullControl.All. Additional permissions should follow.

SharePoint - Sites.FullControl.All is supported
SharePoint – Sites.FullControl.All is supported

Microsoft Graph – Sites.FullControl.All and other permissions return a “(401) Unauthorized”.

Microsoft Graph - Sites.FullControl.All is not supported
Microsoft Graph – Sites.FullControl.All is not supported
  • Certificate location

The documentation contains incorrect information under CertificateThumbprint, or is it a bug in the command?

CertificateThumbprint
The thumbprint of the certificate in the current user’s certificate store.

If you run Connect-SPOService with the -CertificateThumbprint parameter, the command fails because it cannot find the specified thumbprint.

Connect-SPOService: No certificate was found matching the specified parameters. Check the thumbprint or path, and then try again.
Thumbprint is missing in the local machine store
Thumbprint is missing in the local machine store

The reason is because the command checks the LocalMachine store rather than the CurrentUser store.
Load the certificate manually and use the -Certificate parameter, or move it to the LocalMachine store.

PowerShell
$Thumbprint = "<YourCertThumbprint>"
$Cert = Get-ChildItem Cert:\CurrentUser\My\$Thumbprint
Connect-SPOService -Url "https://<Tenantname>-admin.sharepoint.com" -ClientId "<AppID>" -Tenant "<TenantID>" -Certificate $Cert

Connect-SPOService with app-only authentication (PowerShell 5)
Connect-SPOService with app-only authentication (PowerShell 5)
  • Error with PowerShell 7

Even though PowerShell 5 works, PowerShell 7 will return an error “(400) Bad Request”.

Connect-SPOService: The remote server returned an error: (400) Bad Request.
Error with PowerShell 7
Error with PowerShell 7

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *