Table of Contents
Using App-Only Authentication with SharePoint Online PowerShell
I’ve often expressed concern about the lack of development effort Microsoft puts into the SharePoint Online management PowerShell module. Apart from updating important cmdlets like Set-SPOTenant or Set-SPOSite to add new settings for the tenant or sites, Microsoft hasn’t invested much effort to bring the module forward. For instance, although the module can be run in the latest version of PowerShell core (I use V7.5.4), SharePoint is still a Windows PowerShell module.
Then the welcome news from message center notification MC1188595 appeared on 21 November 2025 to announce that the SharePoint Online module now supports certificate-based authentication (CBA), or app-only authentication. No doubt some pressure from Microsoft’s current security initiative persuaded some action to move away from a dependency on user credentials. As Microsoft says:
“This update addresses the business need for secure, unattended automation in environments where (for example) Multi-Factor Authentication (MFA) is enforced. With this enhancement, customers can run automation scripts using app identities, ensuring compliance with security policies while maintaining operational efficiency.”
Graph APIs are Usually a Better Automation Option
I’m not sure that I have ever used the SharePoint Online module for unattended automation. In many situations, the Graph API is a much better choice, especially when using a managed identity with Azure Automation to run background jobs. The SharePoint developers recently added the ability to create new sites via a Create Site Graph API. It’s been possible to create sites used for Microsoft 365 groups and teams for several years, so the update fixes a gap for communication and other site types. The Graph APIs have an important advantage over the SharePoint PowerShell module in that the APIs can work with user data, like files stored in document libraries, SharePoint lists, and SharePoint pages, or even report usage information.
Microsoft added a SharePoint Admin API to the Graph in 2023 but hasn’t done anything with it since. Perhaps the feeling was that SharePoint administrative operations such as updating settings are largely once-off events that can be performed through the admin center.
Using App-Only Authentication
But now we have app-only authentication. Details of the required setup are available in Microsoft documentation, so I won’t repeat them here. Make sure to update Windows PowerShell with the latest version of the SharePoint Online module. I used version 16.0.2712.1200.
In terms of setting up the app, remember that the source for granting authority to access SharePoint Online is the Office 365 SharePoint Online app rather than the Microsoft Graph. Make sure that you select the Sites.FullControl.All permission from the SharePoint Online rather than the Graph when you assign the permission to the app (Figure 1).
After that, you can upload a self-signed X.509 certificate to the app and note the certificate thumbprint. Make sure that the certificate is loaded into a certificate store. For the purposes of testing, I use the Import-Certificate cmdlet to import the certificate into the root store for my account.
With everything ready, I adapted my usual method to connect to SharePoint Online with PowerShell Core to use app-only authentication. The code uses the Microsoft Graph PowerShell SDK to find the default domain for the tenant, creates the SharePoint admin endpoint, and calls the Connect-SPOService cmdlet to connect (using app-only authentication):
# Connect to SharePoint Online
[array]$Domains = (Get-MgOrganization).verifiedDomains
$DefaultDomain = $Domains | Where-Object {$_.IsDefault -eq $true}
$SPOAdminRoot = ("https://{0}-admin.sharepoint.com" -f $DefaultDomain.Name.split('.')[0])
Write-Host "Connecting to SharePoint Online..."
Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell
Connect-SPOService -Url $SPOAdminRoot -TenantId $TenantId -ApplicationId $AppId -CertificateThumbprint $Thumbprint
Once successfully connected, the app-only session can run all SharePoint Online cmdlets as if a human SharePoint Online administrator had signed in to authenticate. There’s not much more else to say.
A Step Forward
In the message center post, Microsoft notes that “there could be rare cases where an API needs an explicit user token for security reasons. In such cases, tenant admins should use interactive flows with admin/user credentials.” I guess that it’s hard to test every single cmdlet with every valid combination of parameters to find where those rare cases exist. Good luck!
Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.