Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

Requirement: Connect to SharePoint Online from PowerShell using multi-factor authentication.

PowerShell to Connect to SharePoint Online with MFA

Multi-Factor Authentication or two-factor authentication in Office 365 environments is often enabled as part of security hardening. Instead of typical user IDs and passwords, it adds an extra layer with SMS or phone call to complete the authentication process. However, in SharePoint when you enable MFA for the account you used to connect to SharePoint Online from PowerShell, it fails! Here is the list of available options on how to connect to the SharePoint Online site through an account with Multi-Factor authentication is enabled.

Create App Password and Connect with App Password

Visit http://aka.ms/createapppassword to create an App password for your MFA enabled account(s), Then connect to SharePoint Online with the App password! E.g.

#Admin Center URL of your SharePoint Online
$AdminSiteURL= "https://crescent-admin.sharepoint.com"
 
#Connect to SharePoint Online services
Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)

Make sure you are entering your user name and the App password for the credential prompt. This method simply works for SharePoint Online Management Shell, PnP PowerShell or on PowerShell – CSOM scripts. If needed, You can hard-code the user name and App password in the script to avoid credentials prompt at run time:

#Variables for processing
$AdminCenterURL = "https://crescent-admin.sharepoint.com"

#User Name Password to connect 
$AdminUserName = "[email protected]"
$AdminPassword = "xbcvvdjzedpcqdjkek" #App Password

#Prepare the Credentials
$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword
 
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential $Cred

App Password method is ideal for unattended or scheduled scripts in Windows task scheduler!

Connect SharePoint Online PowerShell with MFA (Multifactor Authentication) by Omitting -Credential Parameter

To connect with SharePoint Online from SharePoint Online management shell with multi-factor authentication enabled account, simply remove the -Credential parameter from “Connect-SPOService” cmdlet.

Connect-SPOService -Url https://YourTenant-admin.sharepoint.com

Hit Enter, You’ll get a popup (which is MFA aware) and enter the credentials and code.

connect sharepoint online powershell with mfa

Once you are authenticated successfully, You can start using PowerShell cmdlets.

PnP PowerShell to Connect to SharePoint Online with MFA

To connect to SharePoint Online with PnP PowerShell using multi-factor authentication, here are the options:

Option 1: Use “-UseWebLogin” switch if you want to connect to PnP Online with an account of Multi-factor authentication enabled. E.g.

#Site Variables
$SiteURL = "https://crescent.sharepoint.com"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin 

If you are not already connected with SharePoint Online, You’ll get a login prompt.

Option 2: Use App ID and App Secret method to Connect to SharePoint Online with MFA
Create an AppID and Password as per my article: Connect-PnPOnline with App ID and App Secret then use the AppId and AppSecret credentials to connect to PnP.

#Site collection URL
$SiteURL = "https://crescent.sharepoint.com"
 
#Connect to SharePoint Online with AppId and AppSecret
Connect-PnPOnline -Url $SiteURL -AppId "ca12s35f-7c48-4xbf-8238-760bc56bdeda" -AppSecret "J8cFpsg/AS7KUL79fGX1ykbBVkd6q35030AamzAQO5gHj=" 

Once connected, you can start using PnP cmdlets for SharePoint Online.

Connect to CSOM PowerShell Script with MFA

To connect to SharePoint Online through CSOM PowerShell script with a Multi-factor authentication enabled account, use this PowerShell:

$SiteURL = "https://crescent.sharepoint.com"

#Setup Authentication Manager
$AuthenticationManager = new-object OfficeDevPnP.Core.AuthenticationManager
$Ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl)
$Ctx.Load($Ctx.Web)
$Ctx.ExecuteQuery()

Write-Host $Ctx.Web.Title

This method prompts for credentials and two-factor authentication code!

Typical Errors when Multi-Factor Authentication (MFA) is Enabled:

If you try to connect to SharePoint Online, with an MFA enabled account, You’ll get these error messages:
“Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.
At line:5 char:1
+ Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService”

Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.

PnP Connection failed with the error on MFA enabled Account:
“Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.
At line:6 char:1
+ Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline”

Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.

CSOM PowerShell Script with Two Factor Authentication:
“Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
At line:23 char:1
+ $Ctx.ExecuteQuery()
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdcrlException”

Exception calling "ExecuteQuery" with "0" argument(s): "The sign-in name or password does not match one in the Microsoft account system."

Last but not least: Please note, Other than MFA, There could be other reasons for these errors. Such as: Incorrect user name or password, Account has been disabled or locked, Password expired, conditional access policies, legacy authentication is disabled, etc.

Salaudeen Rajack

Information Technology Professional with Two decades of SharePoint Experience.

6 thoughts on “Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

  • February 18, 2021 at 7:34 PM

    …there is a typo or the parameter names are new! Correct is now:

    Connect-PnPOnline -Url <> -ClientId <> -ClientSecret <>

    Reply
  • January 15, 2021 at 3:31 PM

    Thanks Salaudeen. Your trick of creating app password help connecting via CSOM in PowerShell. One issue I noticed is with having App Password the SharePoint Online Admin pages were not loading. The loading spinner was displayed all the time for all admin pages. Call with Microsoft showed account conflict error. And after deleting the app password SPO Admin pages were loading fine. Just in case someone else face same issue.

    Reply
  • November 11, 2020 at 10:05 PM

    Salaudeen, you are the man! I cant thank you enough for all of your efforts with your blog. It has saved me so many times!

    Reply
  • November 3, 2020 at 5:50 PM

    Once you’ve connected via Connect-SPOService, how do you use a context to build up a query?

    Reply
    • November 4, 2020 at 2:08 PM

      The Connect-SPOService doesn’t get you the Context! You have to either use PnP or CSOM.

      Reply
  • October 19, 2020 at 8:25 PM

    Why am i seeing the same issues that you have 🙂 Thank you so much Rajack for detailing each and every minute details.

    Reply

Leave a Reply