Requirement: Connect to SharePoint Online from PowerShell using multi-factor authentication.
PowerShell to Connect to SharePoint Online with MFA
Multi-Factor Authentication or two-factor authentication in Office 365 environments is often enabled as part of security hardening. Instead of typical user IDs and passwords, it adds an extra layer with SMS or phone call to complete the authentication process. However, in SharePoint, when you enable MFA for the account you used to connect to SharePoint Online from PowerShell, it fails! A few extra steps need to be taken first before connecting successfully. In this guide, we will see how to connect to SharePoint Online using PowerShell with MFA, including the prerequisites and step-by-step instructions.
Here is the list of available options on how to connect to the SharePoint Online site through an account with Multi-Factor authentication enabled.
Create an App Password to Connect to SharePoint Online
Visit https://aka.ms/createapppassword to create an App password for your MFA-enabled account(s), Then connect to SharePoint Online with the App password! Here is the Connect-SPOService with MFA example:
#Admin Center URL of your SharePoint Online $AdminSiteURL= "https://crescent-admin.sharepoint.com" #Connect to SharePoint Online services Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
Ensure you enter your user name and the App password for the credential prompt. This method works for SharePoint Online Management Shell, PnP PowerShell, or on PowerShell – CSOM scripts. If needed, You can hard-code the user name and App password in the script to avoid the credentials prompt at run time:
#Variables for processing $AdminCenterURL = "https://crescent-admin.sharepoint.com" #User Name Password to connect $AdminUserName = "Salaudeen@crescent.com" $AdminPassword = "xbcvvdjzedpcqdjkek" #App Password #Prepare the Credentials $SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force $Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword #Connect to SharePoint Online tenant Connect-SPOService -url $AdminCenterURL -Credential $Cred
The app Password method is ideal for unattended or scheduled scripts in the Windows task scheduler!
Connect SharePoint Online PowerShell with MFA (Multifactor Authentication) by Omitting the “Credential” Parameter
To connect with SharePoint Online from the SharePoint Online Management Shell with multifactor authentication enabled account, simply remove the -Credential parameter from the “Connect-SPOService” cmdlet because the Get-Credential cmdlet is not MFA aware!
Connect-SPOService -Url https://YourTenant-admin.sharepoint.com
Hit Enter, You’ll get a popup (PowerShell Window – which is MFA aware), and enter the credentials and code as you get in SharePoint login.
Once you are authenticated successfully, You can start using PowerShell cmdlets from the module in the PowerShell console or PowerShell ISE.
PnP PowerShell to Connect to SharePoint Online with MFA
To connect to SharePoint Online from the PnP PowerShell module using Connect-PnPOnline with MFA (multi-factor authentication), here are the options:
Option 1: Use the “-Interactive” switch if you want to connect to PnP Online with an account with Multi-factor authentication enabled. E.g.
#Site Variables $SiteURL = "https://crescent.sharepoint.com" #Connect to PnP Online Connect-PnPOnline -Url $SiteURL -Interactive
If you are not already connected with SharePoint Online, You’ll get a login prompt.
Option 2: Use the Client ID and Client Secret method to Connect to SharePoint Online with MFA
Create an AppID and Password as per my article: Connect-PnPOnline with Client ID and Client Secret then use the ClientId and ClientSecret credentials to connect to PnP.
#Site collection URL $SiteURL = "https://crescent.sharepoint.com" #Connect to SharePoint Online with AppId and AppSecret Connect-PnPOnline -Url $SiteURL -ClientId "ca12s35f-7c48-4xbf-8238-760bc56bdeda" -ClientSecret "J8cFpsg/AS7KUL79fGX1ykbBVkd6q35030AamzAQO5gHj="
Once connected, you can start using PnP cmdlets for SharePoint Online. More on connecting to SharePoint Online through PnP PowerShell is here: How to Connect to SharePoint Online using PnP PowerShell?
Connect to CSOM PowerShell Script with MFA
To connect to SharePoint Online through CSOM PowerShell script with a Multi-factor authentication configured account, use this PowerShell:
$SiteURL = "https://crescent.sharepoint.com" #Setup Authentication Manager $AuthenticationManager = new-object OfficeDevPnP.Core.AuthenticationManager $Ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl) $Ctx.Load($Ctx.Web) $Ctx.ExecuteQuery() Write-Host $Ctx.Web.Title
This method prompts for credentials and a two-factor authentication code!
In conclusion, connecting to SharePoint Online using PowerShell with MFA is a great way to secure your data and protect against unauthorized access. By following the steps outlined in this guide, you should be able to connect to SharePoint Online with MFA enabled.
Typical Errors when Multi-Factor Authentication (MFA) is Enabled:
If you try to connect to SharePoint Online with an MFA enabled account, You’ll get these error messages:
“Connect-SPOService : The sign-in name or password does not match one in the Microsoft account system.
At line:5 char:1
+ Connect-SPOService -url $AdminSiteURL -Credential (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-SPOService], IdcrlException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService”
PnP Connection failed with the error on MFA enabled Account:
“Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system.
At line:6 char:1
+ Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-PnPOnline], IdcrlException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline”
CSOM PowerShell Script with Two Factor Authentication:
“Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
At line:23 char:1
+ CategoryInfo : NotSpecified: (:) , MethodInvocationException
+ FullyQualifiedErrorId : IdcrlException”
Last but not least: Please note, Other than MFA, There could be other reasons for these errors. Such as Incorrect username or password, Account has been disabled or locked, Password expired, conditional access policies, legacy authentication is disabled, etc.
To install the PowerShell Module for SharePoint Online, Open PowerShell as Administrator and enter: “Install-Module Microsoft.Online.SharePoint.PowerShell”.
More info: Install SharePoint Online PowerShell Module
Install the new PnP PowerShell module using: “Install-Module PnP.PowerShell” and then you can connect to the SharePoint site using the “Connect-PnPOnline” cmdlet.
More info: PnP PowerShell to connect to SharePoint Online
The PnP PowerShell module is an open-source and community-provided library that sits on top of PowerShell and offers 500+ cmdlets to work with the Microsoft 365 environment.