Pnp-powershell: Update modules to allow MFA enabled accounts to authenticate with SPO

Created on 25 Nov 2015  路  3Comments  路  Source: pnp/PnP-PowerShell

In testing some of the New AzureAD MFA functionality there was a requirement to test connecting to SPO sites.

Using the PowerShell modules this throws an error message as below

PSMessageDetails      : 
Exception             : Microsoft.SharePoint.Client.IdcrlException: The sign-in name or password does not match one in 
                        the Microsoft account system.
                           at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String securityXml, String 
                        serviceTarget, String servicePolicy)
                           at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String username, String 
                        password, String serviceTarget, String servicePolicy)
                           at Microsoft.SharePoint.Client.Idcrl.SharePointOnlineAuthenticationProvider.GetAuthenticatio
                        nCookie(Uri url, String username, SecureString password)
                           at Microsoft.SharePoint.Client.SharePointOnlineCredentials.GetAuthenticationCookie(Uri url, 
                        Boolean refresh)
                           at 
                        Microsoft.SharePoint.Client.ClientRuntimeContext.SetupRequestCredential(ClientRuntimeContext 
                        context, HttpWebRequest request)
                           at Microsoft.SharePoint.Client.SPWebRequestExecutor.GetRequestStream()
                           at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
                           at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
                           at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
                           at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryImplementation(ClientRunt
                        imeContext clientContext, Int32 retryCount, Int32 delay)
                           at 
                        Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext 
                        clientContext, Int32 retryCount, Int32 delay)
                           at OfficeDevPnP.PowerShell.Commands.Base.SPOnlineConnectionHelper.InstantiateSPOnlineConnect
                        ion(Uri url, PSCredential credentials, PSHost host, Boolean currentCredentials, Int32 
                        minimalHealthScore, Int32 retryCount, Int32 retryWait, Int32 requestTimeout, Boolean 
                        skipAdminCheck)
                           at OfficeDevPnP.PowerShell.Commands.Base.ConnectSPOnline.ProcessRecord()
                           at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject          : 
CategoryInfo          : NotSpecified: (:) [Connect-SPOnline], IdcrlException
FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,OfficeDevPnP.PowerShell.Commands.Base.ConnectSPOnlin
                        e
ErrorDetails          : 
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}

I may be wrong but I'm sure there was a sample for enabling authentication with MFA for the PnP.Core library at some point? Though I may be thinking of ADFS?

All 3 comments

I thought there was an MFA sample as well. Looking at the docs, I assume the -UseWebLogin switch parameter would provide a way authenticate via MFA. However, the NuGet (PowerShellGet) package does not recognize that parameter.

@erwinvanhunen -- is that a documentation issue or is the package just behind the source at the moment? (I'll stand up a dev environment to help work thru this, but it will take a few days.)

Thanks.

The latest, sort-of-official word from the O365 Support forum:

If an administrator account was enabled Multi-factor Authentication, PowerShell will not work when he connects to PowerShell with this administrator account. Ensure you create a service account with a strong password to run PowerShell scripts and do not enable that account for multi-factor authentication.

(Assuming above is correct, probably should close this case.)

Paul, sorry for the delay, The -UseWebLogin parameter is available. At the time it was most likely a delay in the availability of the cmdlet in the PowerShell Gallery.

Was this page helpful?
0 / 5 - 0 ratings