When you manage a Microsoft 365 Tenant, you often have to create accounts with some privileges / roles on the same Tenant. For example, an account as SharePoint Online administrator 🙄.

Once you have created a Microsoft 365 Tenant for your company, some rules of governance have to be respected and mainly those security ones. One of them, that is a Best Practice, consists in activating the MFA (Multi-Factor Authentication) on accounts that have specific role(s) (especially if it is a service account).

You can configure the MFA to use text message or mobile application. I will show you how to configure it, expose you the side effects on your PowerShell scripts and how to deal with it.

In this use case, it is an account with the SharePoint administrator role.

Why enable MFA?

The main reason is "increase security"! Even if someone found your password, he won't be able to connect to your account without a validation or a code generated based on your smartphone. And for others reasons like :

  • User cannot use App Password (I'll explain to you what is it exactly below) to connect the Office Portal
  • App Password never expire (you can set never expire password for specific account but it is not obvious to manage this kind of accounts and it is not recommended)
  • User can change his password and the App Password is keeping
  • You can generate several App Passwords (I don't know if this case is really interesting but you can 😉)
  • You can revoke all App Password in one shot
  • For security reason, all accounts with admin role(s) should have MFA activated (especially for Global Admin role)
  • If an enterprise wish to have a good score on Microsoft Secure Score, enable MFA is recommended (CSA CCM301, Control DSI-02, FedRAMP Moderate, Control IA-3, GDPR, etc.)

There are still other differences / reasons, but here are the ones I expose to my customers and also why I generally advise to activate the MFA.

PowerShell script without MFA

In this example, we'll use the PnP PowerShell Framework to connect and count the number of SharePoint site collections of Tenant.

  1. From the PowerShell console, use the connect cmdlet :
Connect-PnPOnline -Url https://yourdomain-admin.sharepoint.com
  1. A Windows prompt should be appear. Fill out login ([email protected]) and password
  1. Now, to show all SharePoint site collections, use the below cmdlet :
(Get-PnPTenantSite).Count

It works ! 💪🏻

Close the PowerShell console

Configure MFA on an account

Prerequisites

  1. Connect to Mirosoft 365 Central Admin with an account with sufficient rights
  2. A smartphone
  3. If you haven't already install Microsoft Authenticator App on your device, you can install it from here:
Microsoft Authenticator – Securely Access & Manage Your Online Accounts
The Microsoft Authenticator phone app gives you easy, secure access to online accounts, providing multi-factor authentication for an extra layer of security

Configuration

  1. From the Microsoft Central Admin, go to Active users
  2. Click on the ellipsis located at the top bar and click on Setup multifactor authentication

  1. From the Multi-factor authentication page, select the target account that you want to enable MFA
  2. To the right side, click on Enable
  1. From the dialog that will appear, click on enable multi-factor auth
  2. From the successful message dialog, click on close
  1. Logout the current user or change browser
  2. Login with the target account that enabled MFA on it
  3. Configure the Mobile App Authenticator
  4. Generate your first App Password and save it somewhere

Here, the link to access directly to the App Password manager: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

That's done ! 😅

PowerShell script with MFA

  1. From a new PowerShell console, use the connect cmdlet :
Connect-PnPOnline -Url https://yourdomain-admin.sharepoint.com
  1. A Windows prompt should be appear. Fill out login ([email protected]) and password (like previously). But this time, after authentication, you should have an error message like this one :
  1. Now, try again, but this time use the App Password instead of user password

It works again ! 🤗 pfiou


It still does not work!

Microsoft provide several method of authentication and it is possible to block the Legacy authentication.

Connect-PnPOnline does not support SharePoint Online credentials

You can enable the Legacy Authentication with the following cmdlet:

Connect-SPOService -Url https://contoso-admin.sharepoint.com
Set-SPOTenant -LegacyAuthProtocolsEnabled $true

You will have to wait a couple of time before the changes take effect... Microsoft announce 24 hours, in my cases, never more than 15 minutes.

Note : in other use cases, MFA and App Password will not work, especially if you're using Microsoft Graph API. Other ways are available to connect to Microsoft 365 services like certificate or App Client/ID.

Hoping this post will help you 😉