I am running this tool off a domain joined computer (I do not have the option to run it off a non-domain joined one, so don't even bother suggesting that).
I am logged on to the computer as my on-prem admin account and we have separate office365 admin accounts. We have set up SSO and also using modern authetication if I am not mistaken.
When I launch the Exchange Online Powershell Module, I try to connect specifying my office365 admin account like this: connect-exopssession -userprincipalname [email protected]. However, it errors out saying that: New-Exopssession: user '[email protected]' returned by service does not match user '[email protected]' in the request.
It also says AdalUserMismatchException.
Does anyone have any idea how to mend this? We have little or no ability to change the ADFS setup, as this is hosted centrally.
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@officedocsbot assign @yogkumgit
Hi @luddiluddludde, thank you for your comment.
I understand that you have SSO (with AD FS) and MA enabled to this account (MFA not?). Did you try with these steps?
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
@dariomws306 Thank you very much for the contribution and sharing this explanation. @luddiluddludde Hope this comment is helpful for you. Thanks for taking out some time to open the issue. Appreciate and encourage you to do the same in future also.
@officedocsbot close
This question has not been resolved. The reference provided by @dariomws306 is only basic information about how to connect to Exchange Online PowerShell. It does not address the issue raised by @luddiluddludde. The issue is that Single Sign-On (SSO) hijacks the login process when attempting to login as a different user on the same domain. More information may be found here.
SUGGESTION TO DEVELOPERS: Add a -NoSSO switch is needed to disable Single Sign-On in the Connect-EXPOPSSession cmdlet.
In regards to the documentation, I would suggest adding a section something as follows (Pull request #4358 submitted):
If your organization has single sign-on enabled and you are logged into a computer as a user in that domain, then Connect-EXPOPSSession may fail with the error similar to "New-ExoPSSession : User '[email protected]' returned by service does not match user
'[email protected]' in the request.". This occurs because single sign-on overrides the specified userprincipalname. As a work-around, log into another non-domain-joined computer or log in as a local user on the computer and try again.
Since this hasn't been answered yet, the workaround is to omit the parameter UserPrincipalname. Just use
Connect-EXOPSSession
and answer the prompts as you wish.
Source: https://ingogegenwarth.wordpress.com/2018/02/02/exo-ps-mfa/
"Assuming you want to connect to Exchange Online using [email protected] from your machine and your user has a UserPrincipalname [email protected]. When you have used the parameter UserPrincipalname, the PromptBehavior Auto is used and when you get redirected to ADFS (or your SSO solution), your client will perform a silent login with the user [email protected] and establish the connection to Exchange Online with these credentials instead of using [email protected].
The fix for this is not to use the parameter UserPrincipalname."
I hope this helps someone else down the road.
Also reported here: https://answers.microsoft.com/en-us/msoffice/forum/all/login-error-with-multi-factor-authentication/9347ba0f-ce0e-44ae-a75a-240a4ef74b19
Also reported here: https://community.spiceworks.com/topic/2168837-connect-to-exchange-online-mfa-enabled
@cnorm Thank you for your input. I am updating the article according to this information.
@lesterw1 and @luddiluddludde if you can, kindly confirm this new workaround, as it's simpler than log into another non-domain-joined computer or log in as a local user. Thanks!
Also, please have in mind Connect-ExchangeOnline cmdlet because it will be your best option to connect to Exchange Online Powershell when V2 module reachs GA.