Requirement: Connect to SharePoint Online from PowerShell using multi-factor authentication.
PowerShell to Connect to SharePoint Online with MFA
Multi-Factor Authentication or two-factor authentication in Office 365 environments is often enabled as part of security hardening. Instead of typical user IDs and passwords, it adds an extra layer with SMS or phone call to complete the authentication process. However, in SharePoint when you enable MFA for the account you used to connect to SharePoint Online from PowerShell, it fails! Here is the list of available options on how to connect to the SharePoint Online site through an account with Multi-Factor authentication is enabled.
Create App Password and Connect with App Password
Visit http://aka.ms/createapppassword to create an App password for your MFA enabled account(s), Then connect to SharePoint Online with the App password! E.g.
#Admin Center URL of your SharePoint Online $AdminSiteURL= "https://crescent-admin.sharepoint.com" #Connect to SharePoint Online services Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
Make sure you are entering your user name and the App password for the credential prompt. This method simply works for SharePoint Online Management Shell, PnP PowerShell or on PowerShell – CSOM scripts. If needed, You can hard-code the user name and App password in the script to avoid credentials prompt at run time:
#Variables for processing $AdminCenterURL = "https://crescent-admin.sharepoint.com" #User Name Password to connect $AdminUserName = "[email protected]" $AdminPassword = "xbcvvdjzedpcqdjkek" #App Password #Prepare the Credentials $SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force $Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword #Connect to SharePoint Online Connect-SPOService -url $AdminCenterURL -Credential $Cred
App Password method is ideal for unattended or scheduled scripts in Windows task scheduler!
Connect SharePoint Online PowerShell with MFA (Multifactor Authentication) by Omitting -Credential Parameter
To connect with SharePoint Online from SharePoint Online management shell with multi-factor authentication enabled account, simply remove the -Credential parameter from “Connect-SPOService” cmdlet.
Connect-SPOService -Url https://YourTenant-admin.sharepoint.com
Hit Enter, You’ll get a popup (which is MFA aware) and enter the credentials and code.
Once you are authenticated successfully, You can start using PowerShell cmdlets.
PnP PowerShell to Connect to SharePoint Online with MFA
To connect to SharePoint Online with PnP PowerShell using multi-factor authentication, here are the options:
Option 1: Use “-UseWebLogin” switch if you want to connect to PnP Online with an account of Multi-factor authentication enabled. E.g.
#Site Variables $SiteURL = "https://crescent.sharepoint.com" #Connect to PnP Online Connect-PnPOnline -Url $SiteURL -UseWebLogin
If you are not already connected with SharePoint Online, You’ll get a login prompt.
Option 2: Use App ID and App Secret method to Connect to SharePoint Online with MFA
Create an AppID and Password as per my article: Connect-PnPOnline with App ID and App Secret then use the AppId and AppSecret credentials to connect to PnP.
#Site collection URL $SiteURL = "https://crescent.sharepoint.com" #Connect to SharePoint Online with AppId and AppSecret Connect-PnPOnline -Url $SiteURL -AppId "ca12s35f-7c48-4xbf-8238-760bc56bdeda" -AppSecret "J8cFpsg/AS7KUL79fGX1ykbBVkd6q35030AamzAQO5gHj="
Once connected, you can start using PnP cmdlets for SharePoint Online.
Connect to CSOM PowerShell Script with MFA
To connect to SharePoint Online through CSOM PowerShell script with a Multi-factor authentication enabled account, use this PowerShell:
$SiteURL = "https://crescent.sharepoint.com" #Setup Authentication Manager $AuthenticationManager = new-object OfficeDevPnP.Core.AuthenticationManager $Ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl) $Ctx.Load($Ctx.Web) $Ctx.ExecuteQuery() Write-Host $Ctx.Web.Title
This method prompts for credentials and two-factor authentication code!
Typical Errors when Multi-Factor Authentication (MFA) is Enabled:
If you try to connect to SharePoint Online, with an MFA enabled account, You’ll get these error messages:
“Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.
At line:5 char:1
+ Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-SPOService], IdcrlException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService”
PnP Connection failed with the error on MFA enabled Account:
“Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.
At line:6 char:1
+ Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-PnPOnline], IdcrlException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline”
CSOM PowerShell Script with Two Factor Authentication:
“Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
At line:23 char:1
+ CategoryInfo : NotSpecified: (:) , MethodInvocationException
+ FullyQualifiedErrorId : IdcrlException”
Last but not least: Please note, Other than MFA, There could be other reasons for these errors. Such as: Incorrect user name or password, Account has been disabled or locked, Password expired, conditional access policies, legacy authentication is disabled, etc.