In testing some of the New AzureAD MFA functionality there was a requirement to test connecting to SPO sites.
Using the PowerShell modules this throws an error message as below
PSMessageDetails :
Exception : Microsoft.SharePoint.Client.IdcrlException: The sign-in name or password does not match one in
the Microsoft account system.
at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String securityXml, String
serviceTarget, String servicePolicy)
at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String username, String
password, String serviceTarget, String servicePolicy)
at Microsoft.SharePoint.Client.Idcrl.SharePointOnlineAuthenticationProvider.GetAuthenticatio
nCookie(Uri url, String username, SecureString password)
at Microsoft.SharePoint.Client.SharePointOnlineCredentials.GetAuthenticationCookie(Uri url,
Boolean refresh)
at
Microsoft.SharePoint.Client.ClientRuntimeContext.SetupRequestCredential(ClientRuntimeContext
context, HttpWebRequest request)
at Microsoft.SharePoint.Client.SPWebRequestExecutor.GetRequestStream()
at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryImplementation(ClientRunt
imeContext clientContext, Int32 retryCount, Int32 delay)
at
Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext
clientContext, Int32 retryCount, Int32 delay)
at OfficeDevPnP.PowerShell.Commands.Base.SPOnlineConnectionHelper.InstantiateSPOnlineConnect
ion(Uri url, PSCredential credentials, PSHost host, Boolean currentCredentials, Int32
minimalHealthScore, Int32 retryCount, Int32 retryWait, Int32 requestTimeout, Boolean
skipAdminCheck)
at OfficeDevPnP.PowerShell.Commands.Base.ConnectSPOnline.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject :
CategoryInfo : NotSpecified: (:) [Connect-SPOnline], IdcrlException
FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,OfficeDevPnP.PowerShell.Commands.Base.ConnectSPOnlin
e
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
I may be wrong but I'm sure there was a sample for enabling authentication with MFA for the PnP.Core library at some point? Though I may be thinking of ADFS?
I thought there was an MFA sample as well. Looking at the docs, I assume the -UseWebLogin switch parameter would provide a way authenticate via MFA. However, the NuGet (PowerShellGet) package does not recognize that parameter.
@erwinvanhunen -- is that a documentation issue or is the package just behind the source at the moment? (I'll stand up a dev environment to help work thru this, but it will take a few days.)
Thanks.
The latest, sort-of-official word from the O365 Support forum:
If an administrator account was enabled Multi-factor Authentication, PowerShell will not work when he connects to PowerShell with this administrator account. Ensure you create a service account with a strong password to run PowerShell scripts and do not enable that account for multi-factor authentication.
(Assuming above is correct, probably should close this case.)
Paul, sorry for the delay, The -UseWebLogin parameter is available. At the time it was most likely a delay in the availability of the cmdlet in the PowerShell Gallery.