Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

Requirement: Connect to SharePoint Online from PowerShell using multi-factor authentication

PowerShell to Connect to SharePoint Online with MFA

Multi-Factor Authentication or two-factor authentication in Office 365 environments is often enabled as part of security hardening. Instead of typical user IDs and passwords, it adds an extra layer with SMS or phone call to complete the authentication process. However, in SharePoint, when you enable MFA for the account you used to connect to SharePoint Online from PowerShell, it fails! A few extra steps need to be taken first before connecting successfully. Here is the list of available options on how to connect to the SharePoint Online site through an account with Multi-Factor authentication enabled.

Create App Password and Connect with App Password

Visit https://aka.ms/createapppassword to create an App password for your MFA-enabled account(s), Then connect to SharePoint Online with the App password! Here is the Connect-SPOService with MFA example:

#Admin Center URL of your SharePoint Online
$AdminSiteURL= "https://crescent-admin.sharepoint.com"
 
#Connect to SharePoint Online services
Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)

Ensure you enter your user name and the App password for the credential prompt. This method works for SharePoint Online Management Shell, PnP PowerShell, or on PowerShell – CSOM scripts. If needed, You can hard-code the user name and App password in the script to avoid the credentials prompt at run time:

#Variables for processing
$AdminCenterURL = "https://crescent-admin.sharepoint.com"

#User Name Password to connect 
$AdminUserName = "[email protected]"
$AdminPassword = "xbcvvdjzedpcqdjkek" #App Password

#Prepare the Credentials
$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword
 
#Connect to SharePoint Online tenant
Connect-SPOService -url $AdminCenterURL -Credential $Cred

App Password method is ideal for unattended or scheduled scripts in the Windows task scheduler!

Connect SharePoint Online PowerShell with MFA (Multifactor Authentication) by Omitting “Credential” Parameter

To connect with SharePoint Online from the SharePoint Online management Shell with multifactor authentication enabled account, simply remove the -Credential parameter from “Connect-SPOService” cmdlet because the Get-Credential cmdlet is not MFA aware!

Connect-SPOService -Url https://YourTenant-admin.sharepoint.com

Hit Enter, You’ll get a popup (PowerShell Window – which is MFA aware), and enter the credentials and code as you get in SharePoint login.

connect sharepoint online powershell with mfa

Once you are authenticated successfully, You can start using PowerShell cmdlets from the module in the PowerShell console or PowerShell ISE.

PnP PowerShell to Connect to SharePoint Online with MFA

To connect to SharePoint Online from the PnP PowerShell module using Connect-PnPOnline with MFA (multi-factor authentication), here are the options:

Option 1: Use the “-Interactive” switch if you want to connect to PnP Online with an account with Multi-factor authentication enabled. E.g.

#Site Variables
$SiteURL = "https://crescent.sharepoint.com"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive 

If you are not already connected with SharePoint Online, You’ll get a login prompt.

Option 2: Use Client ID and Client Secret method to Connect to SharePoint Online with MFA
Create an AppID and Password as per my article: Connect-PnPOnline with Client ID and Client Secret then use the ClientId and ClientSecret credentials to connect to PnP.

#Site collection URL
$SiteURL = "https://crescent.sharepoint.com"
 
#Connect to SharePoint Online with AppId and AppSecret
Connect-PnPOnline -Url $SiteURL -ClientId "ca12s35f-7c48-4xbf-8238-760bc56bdeda" -ClientSecret "J8cFpsg/AS7KUL79fGX1ykbBVkd6q35030AamzAQO5gHj=" 

Once connected, you can start using PnP cmdlets for SharePoint Online. More on connecting to SharePoint Online through PnP PowerShell is here: How to Connect to SharePoint Online using PnP PowerShell?

Connect to CSOM PowerShell Script with MFA

To connect to SharePoint Online through CSOM PowerShell script with a Multi-factor authentication configured account, use this PowerShell:

$SiteURL = "https://crescent.sharepoint.com"

#Setup Authentication Manager
$AuthenticationManager = new-object OfficeDevPnP.Core.AuthenticationManager
$Ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl)
$Ctx.Load($Ctx.Web)
$Ctx.ExecuteQuery()

Write-Host $Ctx.Web.Title

This method prompts for credentials and a two-factor authentication code!

Typical Errors when Multi-Factor Authentication (MFA) is Enabled:

If you try to connect to SharePoint Online with an MFA enabled account, You’ll get these error messages:
“Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.
At line:5 char:1
+ Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService”

Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.

PnP Connection failed with the error on MFA enabled Account:
“Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.
At line:6 char:1
+ Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline”

Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.

CSOM PowerShell Script with Two Factor Authentication:
“Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
At line:23 char:1
+ $Ctx.ExecuteQuery()
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdcrlException”

Exception calling "ExecuteQuery" with "0" argument(s): "The sign-in name or password does not match one in the Microsoft account system."

Last but not least: Please note, Other than MFA, There could be other reasons for these errors. Such as Incorrect username or password, Account has been disabled or locked, Password expired, conditional access policies, legacy authentication is disabled, etc.

How do I Install SharePoint Online PowerShell Module?

To install the PowerShell Module for SharePoint Online, Open PowerShell as Administrator and enter: “Install-Module Microsoft.Online.SharePoint.PowerShell”.
More info: Install SharePoint Online PowerShell Module

How does PnP PowerShell connect to SharePoint Online?

Install the new PnP PowerShell module using: “Install-Module PnP.PowerShell” and then you can connect to the SharePoint site using the “Connect-PnPOnline” cmdlet.
More info: PnP PowerShell to connect to SharePoint Online

What is the difference between PowerShell and PnP PowerShell?

The PnP PowerShell module is an open-source and community-provided library that sits on top of PowerShell and offers 500+ cmdlets to work with Microsoft 365 environment.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

12 thoughts on “Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

  • Hi, I have followed all the above methods to log into SharePoint with MFA but nothing worked. Is there a way that I can get your help in identifying where the issue is, please???

    Reply
  • Hi Salaudeen, I am trying to use the Create App Password and Connect with App Password method to connect using pnp powershell module but I am getting Connect-PnPOnline : AADSTS50126: Error validating credentials due to invalid username or password error. I am not sure what I am doing wrong

    Reply
  • Restart PowerShell ISE.

    Reply
  • Hi Sir,

    I am trying above code to connect to MFA enabled site. I am able to connect site but when I am trying to create List , I am getting below error:

    Cannot convert argument “parameters”, with value: “Microsoft.SharePoint.Client.ListCreationInformation”, for “Add” to type “Microsoft.SharePoint.Client.ListCreationInformation”: “Ca
    nnot convert the “Microsoft.SharePoint.Client.ListCreationInformation” value of type “Microsoft.SharePoint.Client.ListCreationInformation” to type “Microsoft.SharePoint.Client.ListC
    reationInformation”.”

    Reply
  • Hi ,
    I have tried above code to create List with MFA enabled account. But I am getting issue while creating List. Please help me on this;

    Code:

    try {
    $SiteURL = “https://portal/sites/site1”
    $ListTitle = “NewList”
    [System.Reflection.Assembly]::LoadFrom(“C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll”)
    [System.Reflection.Assembly]::LoadFrom(“C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”)
    [System.Reflection.Assembly]::LoadFrom(“C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\Microsoft.IdentityModel.Clients.ActiveDirectory.dll”)
    [System.Reflection.Assembly]::LoadFrom(“C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\OfficeDevPnP.Core.dll”)
    $authManager = new – object OfficeDevPnP.Core.AuthenticationManager;
    $Context = $authManager.GetWebLoginClientContext($SiteURL);#

    $Lists = $Context.Web.Lists
    $Context.Load($Lists)
    $Context.ExecuteQuery()
    $ListInfo = New – Object Microsoft.SharePoint.Client.ListCreationInformation
    $ListInfo.Title = $ListTitle
    $ListInfo.TemplateType = “100”
    $List = $Context.Web.Lists.Add($ListInfo)
    $List.Description = “new list description”
    $List.Update()
    $Context.ExecuteQuery()
    } catch {
    Write – Host – ForegroundColor Red ‘Error ‘, ‘:’
    $Error[0].ToString();
    sleep 10
    }

    Error:

    Cannot convert argument “parameters”, with value: “Microsoft.SharePoint.Client.ListCreationInformation”, for “Add” to type “Microsoft.SharePoint.Client.ListCreationInformation”: “Cannot convert the “Microsoft.SharePoint.Client.ListCreationInformation” value of type “Microsoft.SharePoint.Client.ListCreationInformation” to type “Microsoft.SharePoint.Client.ListC
    reationInformation”.”

    Please help me on this.

    Reply
  • …there is a typo or the parameter names are new! Correct is now:

    Connect-PnPOnline -Url <> -ClientId <> -ClientSecret <>

    Reply
  • Thanks Salaudeen. Your trick of creating app password help connecting via CSOM in PowerShell. One issue I noticed is with having App Password the SharePoint Online Admin pages were not loading. The loading spinner was displayed all the time for all admin pages. Call with Microsoft showed account conflict error. And after deleting the app password SPO Admin pages were loading fine. Just in case someone else face same issue.

    Reply
  • Salaudeen, you are the man! I cant thank you enough for all of your efforts with your blog. It has saved me so many times!

    Reply
  • Once you’ve connected via Connect-SPOService, how do you use a context to build up a query?

    Reply
    • The Connect-SPOService doesn’t get you the Context! You have to either use PnP or CSOM.

      Reply
  • Why am i seeing the same issues that you have 🙂 Thank you so much Rajack for detailing each and every minute details.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *