Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

Requirement: Connect to SharePoint Online from PowerShell using multi-factor authentication.

PowerShell to Connect to SharePoint Online with MFA
Multi-Factor Authentication or two-factor authentication in Office 365 environments is often enabled as part of security hardening. Instead of typical user id and passwords, it adds an extra layer with SMS or phone call to complete the authentication process. However, in SharePoint when you enable MFA for the account you use to connect to SharePoint Online from PowerShell, it fails! Here is the list of available options on how to connect to the SharePoint Online site through an account with Multi-Factor authentication is enabled.

Create App Password and Connect with App Password
Visit http://aka.ms/createapppassword to create an App password for your MFA enabled account(s), Then connect to SharePoint Online with the App password! E.g.
#Admin Center URL of your SharePoint Online
$AdminSiteURL= "https://crescent-admin.sharepoint.com"
 
#Connect to SharePoint Online services
Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
Make sure you are entering your user name and the App password for the credential prompt. This method simply works for SharePoint Online Management Shell, PnP PowerShell or on PowerShell - CSOM scripts. If needed, You can hard-code the user name and App password in the script to avoid credentials prompt at run time:
#Variables for processing
$AdminCenterURL = "https://crescent-admin.sharepoint.com"

#User Name Password to connect 
$AdminUserName = "[email protected]"
$AdminPassword = "xbcvvdjzedpcqdjkek" #App Password

#Prepare the Credentials
$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword
 
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential $Cred
App Password method is ideal for un-attended or scheduled scripts in Windows task scheduler!

Connect SharePoint Online PowerShell with MFA (Multifactor Authentication) by Omitting -Credential Parameter
To connect with SharePoint Online from SharePoint Online management shell with multifactor authentication enabled account, simply remove the -Credential parameter from "Connect-SPOService" cmdlet.
Connect-SPOService -Url https://YourTenant-admin.sharepoint.com
Hit Enter, You'll get a popup (which is MFA aware) and enter the credentials and code.
connect sharepoint online powershell with mfa
Once you are authenticated successfully, You can start using PowerShell cmdlets.

PnP PowerShell to Connect to SharePoint Online with MFA
To connect to SharePoint Online with PnP PowerShell using multi-factor authentication, here are the options:

Option 1: Use "-UseWebLogin" switch if you want to connect to PnP Online with an account of Multifactor authentication enabled. E.g.
#Site Variables
$SiteURL = "https://crescent.sharepoint.com"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin 
If you are not already connected with SharePoint Online, You'll get a login prompt.

Option 2: Use App ID and App Secret method to Connect to SharePoint Online with MFA
Create an AppID and Password as per my article: Connect-PnPOnline with App ID and App Secret then use the AppId and AppSecret credentials to connect to PnP.
#Site collection URL
$SiteURL = "https://crescent.sharepoint.com"
 
#Connect to SharePoint Online with AppId and AppSecret
Connect-PnPOnline -Url $SiteURL -AppId "ca12s35f-7c48-4xbf-8238-760bc56bdeda" -AppSecret "J8cFpsg/AS7KUL79fGX1ykbBVkd6q35030AamzAQO5gHj=" 
Once connected, you can start using PnP cmdlets for SharePoint Online.

Connect to CSOM PowerShell Script with MFA
To connect to SharePoint Online through CSOM PowerShell script with a Multi-factor authentication enabled account, use this PowerShell:
$SiteURL = "https://crescent.sharepoint.com"

#Setup Authentication Manager
$AuthenticationManager = new-object OfficeDevPnP.Core.AuthenticationManager
$Ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl)
$Ctx.Load($Ctx.Web)
$Ctx.ExecuteQuery()

Write-Host $Ctx.Web.Title
This method prompts for credentials and two-factor authentication code!


Typical Errors when Multi-Factor Authentication (MFA) is Enabled:

If you try to connect to SharePoint Online, with an MFA enabled account, You'll get these error messages:
"Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.
At line:5 char:1
+ Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService"
Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.


PnP Connection failed with the error on MFA enabled Account:
"Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.
At line:6 char:1
+ Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], IdcrlException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline"
Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.


CSOM PowerShell Script with Two Factor Authentication:
"Exception calling "ExecuteQuery" with "0" argument(s): "The sign-in name or password does not match one in the Microsoft account system."
At line:23 char:1
+ $Ctx.ExecuteQuery()
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdcrlException"
Exception calling "ExecuteQuery" with "0" argument(s): "The sign-in name or password does not match one in the Microsoft account system."

Last but not least: Please note, Other than MFA, There could be other reasons for these errors. Such as: Incorrect user name or password, Account has been disabled or locked, Password expired, conditional access policies, legacy authentication is disabled, etc.

4 comments:

  1. Why am i seeing the same issues that you have :) Thank you so much Rajack for detailing each and every minute details.

    ReplyDelete
  2. Once you've connected via Connect-SPOService, how do you use a context to build up a query?

    ReplyDelete
    Replies
    1. The Connect-SPOService doesn't get you the Context! You have to either use PnP or CSOM.

      Delete
  3. Salaudeen, you are the man! I cant thank you enough for all of your efforts with your blog. It has saved me so many times!

    ReplyDelete

Please Login and comment to get your questions answered!

Powered by Blogger.