Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Alerts
  3. IDCRL Retirement

SharePoint Legacy Auth (IDCRL) Retired May 2026

Published: 1 May 2026  |  Category: Microsoft 365 Update  |  Message Center: MC1184649

Microsoft enforced the retirement of IDCRL (Identity Client Runtime Library) cookie-based authentication for SharePoint Online and OneDrive for Business on 1 May 2026. The change is permanent: IDCRL cannot be re-enabled by tenant administrators. Any script, tool, or integration that still relied on legacy cookie auth will have stopped working on that date.

Official source: Microsoft Mission Critical Blog, "Legacy SharePoint Authentication (IDCRL) Is Retiring: What to Do Before May 1, 2026"
Read on Microsoft Tech Community  –  Microsoft 365 Message Center: MC1184649

What is IDCRL?

IDCRL is a legacy identity library that allowed client applications to authenticate with SharePoint and OneDrive by exchanging a username and password for session cookies (FedAuth and rtFa). Older versions of the SharePoint Client Object Model (CSOM), PowerShell scripts using Get-Credential, and many first-generation migration tools relied on this method. Modern authentication replaced it with OAuth 2.0 tokens issued through Azure Active Directory (now Microsoft Entra ID), which provide conditional access support and significantly stronger security posture.

What stopped working on 1 May 2026

Affected: any application or script that authenticates with a plain username and password directly against SharePoint, rather than via an Entra ID app registration or interactive OAuth flow.
  • PowerShell scripts using older SharePointPnPPowerShellOnline with the -Credential parameter.
  • Power BI dataset refreshes configured with SharePoint connector and stored username/password credentials.
  • Power Automate flows using legacy SharePoint connections.
  • Older migration tools and third-party applications calling the SharePoint REST or CSOM APIs with cookie auth.
  • Custom .NET applications using SharePointOnlineCredentials from older CSOM NuGet packages.

Not affected: browser access, Microsoft 365 desktop apps (Word, Excel, Teams), modern PnP PowerShell using Connect-PnPOnline -Interactive or app registrations, and tools like ShareMaster that authenticate via modern OAuth flows.

How to find affected integrations

  1. Open the Microsoft Purview compliance portal and navigate to Audit.
  2. Search for the operation IDCRLSuccessSignIn over the last 30 to 60 days (or as far back as your audit log retention allows).
  3. Each result represents a legacy auth connection. Note the user account, application ID, and IP address, then track down the owner.
  4. Cross-reference against Power BI: open Power BI admin portal > Workspaces, inspect datasets, and look for SharePoint data sources with stored credentials.
  5. Review any scheduled Task Scheduler or Azure Automation runbook scripts that pass credentials to a SharePoint endpoint.

Migration path to modern authentication

The replacement authentication model is OAuth 2.0 / OpenID Connect via a Microsoft Entra ID app registration. The migration steps differ by tool:

  • PnP PowerShell: update to PnP PowerShell v2 or later and use Connect-PnPOnline -ClientId <appId> -Tenant <domain> with a registered app and certificate or client secret.
  • CSOM (.NET): replace SharePointOnlineCredentials with the PnP Core SDK, which handles OAuth token acquisition automatically and supports delegated and application permissions.
  • Power BI: switch to the Organizational account connection type, or configure a service principal with delegated Sites.ReadAll permissions in Entra ID.
  • Power Automate: reconnect all SharePoint actions using the OAuth-based SharePoint connector and delete the old legacy connection from your tenant connections list.
  • Third-party tools: consult your vendor's release notes for a version that supports app-based or delegated OAuth auth, and upgrade before scheduling new jobs.

Why this matters for migration projects

Migration consultants and MSPs who run periodic or scheduled migration jobs need to pay close attention. A job tested months ago with username/password credentials will now fail at authentication before a single file is copied. Reconnect every tool using a registered Entra ID application before starting any new migration run.

ShareMaster uses modern OAuth-based authentication for all SharePoint connections. Clone Master migration jobs and all other ShareMaster tools are unaffected by this retirement. If you need to migrate content from a tenant whose tooling is now broken, ShareMaster provides a reliable path forward.

Summary

IDCRL is permanently retired as of 1 May 2026, with no re-enable option. Audit your tenant connections using Purview, update affected scripts and tools to OAuth 2.0 / OpenID Connect, and treat the migration as a security upgrade rather than a compliance checkbox. Legacy cookie auth carried real credential exposure risks; modern auth with conditional access is the right foundation going forward.

Try ShareMaster free for 14 days