Ever kicked off a SharePoint script at night, only to wake up and find it failed because the account requires MFA? 😅 It’s a familiar headache for anyone who relies on unattended scripts to collect SharePoint Online data.
But you don’t have to deal with that anymore! Microsoft has now made app-only certificate-based authentication in the SharePoint Online Management Shell generally available. This allows you to run SPO scripts unattended without user credentials or MFA getting in the way.
In this blog, let’s explore certificate-based authentication in SPO Management Shell, its benefits for automating SharePoint tasks, and how to use it.
Why Certificate-Based Authentication in SharePoint Online Module is a Real Game-Changer?
App-only certificate-based authentication lets your scripts connect to SharePoint Online non-interactively using an application (non-human identity) instead of signing in with a user account (human identity).
Here are some of the key benefits of certificate-based authentication in SPO management shell:
Compatibility: Unlike PnP PowerShell module, which requires PowerShell 7 for modern authentication, the SharePoint Online Management Shell only requires the latest version of PowerShell 5.
Enhanced Security: Certificates provide a more secure alternative to username and password authentication, reducing the risk of credential theft and phishing attacks.
Credential Lifetime: Certificates usually have a longer lifetime than passwords, so your automation runs smoothly without frequent credential updates.
Automation: Certificates support non-interactive authentication, so your scripts can run unattended without manual input. This makes it ideal for scheduled reports or recurring automated tasks.
Connect to SharePoint Online with App Only Certificate-Based Authentication
To use certificate-based authentication in SharePoint Online module, follow the steps below.
1. Register the App and Assign SharePoint Permissions
Start by creating a new app registration in the Microsoft Entra admin center. After the app is created, assign the required SharePoint API permissions.
You can add these permissions in two ways:
- By granting API Permissions – After selecting your app, assign the required SharePoint permissions from the API permissions section.
- By editing the app manifest – This method is required for Microsoft 365 GCC High and DoD tenants. In such cases, some permissions must be added manually because they aren’t available through the standard interface.
Note: Currently Tenant Admin APIs support app-only access only when the app is granted the Sites.FullControl permission.
To set up app-only access for SharePoint Online through an Entra application, you’ll need a certificate — either a self-signed certificate or one obtained from a certificate authority (CA).
2. Connect to SPO Non-Interactively
To run your scripts unattended, follow these steps to set up app-only certificate-based authentication in the SharePoint Online Management Shell.
First, make sure you have the latest version of the SharePoint Online module installed by running the cmdlet below.
|
1 |
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version |
Then, run the following cmdlet to connect with SharePoint Online, replacing the placeholders with your actual values as shown in the image below:
|
1 |
$thumbprint = "<CertificateThumbprint>" $cert = Get-ChildItem Cert:\CurrentUser\My\$thumbprint Connect-SPOService -Url "https://<TenantName>-admin.sharepoint.com" -ClientId "<AppId>" -Tenant "<TenantId>" -Certificate $cert |
⚠️Important: If you use the -CertificateThumbprint parameter with Connect-SPOService, you might encounter an error like given below.
This happens because the cmdlet checks the LocalMachine certificate store, not the CurrentUser store where your certificate might be located.
To fix this, you can either:
- Load the certificate manually in your script and use the -Certificate parameter,
or - Move the certificate to the LocalMachine store so the cmdlet can find it
Final Thoughts:
With this update, running SharePoint automation becomes much smoother and fully hands-off. By switching your scripts to app-only, certificate-based authentication, you can avoid MFA interruptions and keep scheduled jobs running reliably.
Take a moment to review your existing SPO scripts and update any tasks that rely on interactive sign-in. Moving to certificate-based connections gives you a more secure, consistent, and maintenance-friendly automation setup going forward. If you have any questions or require additional help, please feel free to leave a comment below.
