Starting with the 28 March 2025 release of the SharePoint Online Management Shell, the IDCRL (Identity Client Run Time Library) authentication protocol will be replaced with OAuth, a modern authentication protocol.
IDCRL (Identity Client Run Time Library) is Microsoft’s proprietary authentication mechanism for accessing services like SharePoint Online and Office 365. However, it lacked flexibility, strong token security, and modern authentication features. It stored tokens locally, had limited access control, and was prone to security risks.
In contrast, OAuth 2.0 has become the industry standard for secure authentication and authorization. With short-lived access tokens, scoped permissions, multi-factor authentication (MFA) support, and Zero Trust alignment, OAuth provides a more secure and scalable solution. Its token-based model ensures better protection against credential theft and unauthorized access.
Source: ChatGPT
Timeline
The transition to OAuth will take effect with the updated SharePoint Online Management Shell on 28 March 2025.
IDCRL authentication in your SharePoint tenant
You are using the old IDCRL authentication if you have a situation like the following with SharePoint Online PowerShell.
- You have to use PowerShell 5.
- You are using Connect-SPOService without the parameter ModernAuth.
- You are using Connect-SPOService with the Credential parameter.
- The property LegacyAuthProtocolsEnabled is True in your SharePoint tenant.
In the documentation Microsoft notes that by default LegacyAuthProtocolsEnabled is still True.
LegacyAuthProtocolsEnabled
By default this value is set to $True, which means that authentication using legacy protocols is enabled.Setting this parameter to $False prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources.
- True – Enables Office clients using non-modern authentication protocols (such as, Forms-Based Authentication (FBA) or Identity Client Runtime Library (IDCRL)) to access SharePoint resources.
- False – Prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources.
This may also prevent third-party apps from accessing SharePoint Online resources.
Also, this will also block apps using the SharePointOnlineCredentials class to access SharePoint Online resources. For additional information about SharePointOnlineCredentials, see SharePointOnlineCredentials class.
You find the IDCRL authentication in the Entra ID non-interactive sign-in logs as client app “Other clients”.
How this change will affect your organization
In September 2022, Microsoft added a ModernAuth parameter to the Connect-SPOService documentation (see GitHub commit). The default value of this ModernAuth parameter is still False. By default Connect-SPOService is using the IDCRL authentication method.
You have to add the ModernAuth parameter manually to use modern authentication (or with a personal SharePoint connection method).
# PowerShell 5 only
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService `
-Url "https://<Tenantname>-admin.sharepoint.com" `
-Credential <Credentials> `
-ModernAuth $true `
-AuthenticationUrl "https://login.microsoftonline.com/organizations"
The upcoming SharePoint Online PowerShell release will automatically authenticate requests using the Connect-SPOService cmdlet with the modern OAuth protocol. The ModernAuth parameter will be obsolete after the updated module is installed.
You should verify and test your PowerShell scripts after the update.
After the update a warning message informs admins that IDCRL has been replaced with OAuth.
