Microsoft will start deprecating the IDCRL cookie at the end of January 2026. As a result, Other User authentication will no longer work when connecting to Microsoft 365 in ShareGate Migrate.
To help you avoid disruptions, this article explains Microsoft's timeline and how you can extend the IDCRL cookie until May to start testing alternative connection methods, such as the newly released modern authentication (unavailable for Copy mailboxes and Copy from Gmail for the moment), and to understand the differences between these connection methods.
What’s changing
Microsoft’s timeline
January 31, 2026
The IDCRL cookie is retired by default.
Tenant administrators can temporarily re-enable it using a PowerShell setting.
May 1, 2026
The IDCRL cookie is fully retired and cannot be used, even with tenant-level configuration.
ShareGate Migrate's timeline
Modern authentication was released on January 29, and Other User was renamed to Manual (on-premises only), as this authentication method remains available for on-premises SharePoint environments.
We will continue to add Modern authentication capabilities in ShareGate Migrate.
Recommendations
If you use the ShareGate Migrate UI
When Other user authentication is no longer available for your Microsoft 365 tenant:
Review the differences between Browser authentication and Modern authentication (read the Alternative authentication methods section below).
Choose the authentication method that best fits your security and operational requirements.
If you use PowerShell scripts or schedule your migrations in the UI
If your PowerShell scripts or scheduled migration rely on Other User authentication, we recommend that you:
Delay the IDCRL cookie deprecation in your tenant until May 1.
Continue using Other User authentication temporarily.
Use this time to test Modern authentication or Browser authentication (read the Alternative authentication methods section below).
Update your PowerShell scripts to use a supported authentication method, or start scheduling your migrations with the new authentication method that works best for you.
To update your PowerShell script, review the Connect-Site or Connect-Tenant article depending on which connection command you use in your script.
Tip: To avoid re-entering your credentials every time a new connection is made in a PowerShell loop with Browser authentication or Modern authentication with MFA enforced, you can connect only once and reuse that connection throughout your PowerShell script.
To learn how, see Avoid repeatedly entering your credentials with the browser connection method.
Delaying the deprecation gives you a controlled transition period and reduces the risk
of automation issues.
To delay the IDCRL deprecation:
Connect to SharePoint Online Management Shell.
Run the following commands:
Set-SPOTenant -AllowLegacyAuthProtocolsEnabledSetting $true
Set-SPOTenant -LegacyAuthProtocolsEnabled $true
Alternative authentication methods
Understanding the advantages and limitations of each authentication method will help you plan for the transition after the cutoff date.
Modern authentication
Advantages
The connection does not expire for at least 90 days.
You can pass a username and password directly in a PowerShell script if your tenant does not enforce multi-factor authentication (MFA).
It is a more secure and preferred method of authentication.
Disadvantage
Modern authentication has some copy limitations. For example, the top navigation in your pages and classic web parts will not be supported. To learn more, see Modern authentication copy limitations.
When calculating the size of a list or library, ShareGate Migrate does not get the data size of the structure and metadata with Modern authentication; it can only get the total size of all the documents within these elements. You still get the accurate total size of your sites, however.
Browser authentication
Advantages
It has fewer limitations, especially if you are migrating classic SharePoint site objects.
Disadvantages
It's less secure than using Modern authentication.
Browser authentication expires after only a few days, making this connection method less ideal for large, complex PowerShell migrations that take days.
It does not offer the possibility to pass a username and password directly in your PowerShell script.