Connect-MsolService Authentication Failure with MFA enabled

You might have encountered an error message when you attempt to connect with Office 365 using PowerShell for day to day admin operations with MFA enabled privileged account. When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy authentication prompt instead of modern authentication prompt. Legacy prompt will fail authentication request as it does not support modern authentication and requires either MFA disabled or application password. This incorrect prompt is due to older version of MSOnline PowerShell module being installed on the machine. Connect-MsolService Authentication Failure with MFA enabled

Legacy prompt for authentication will result in following authentication error even though you have entered the correct credentials for your admin account.

C:\> Connect-MsolService

Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. 
At line:1 char:1

Connect-MsolService
~~~~~~~~~~~~~~~~~~~
CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService

To fix this issue, you need to ensure you have the latest version installed for MSOnline module.

Install MSOnline Latest Module for PowerShell

To determine what version of the MSOnline module is installed on your machine, run the following:

C:\> Get-Module -Name MSOnline

 C:\> Get-Module -Name MSOnline

ModuleType          Version          Name
----------          -------          ----
Manifest            1.0              MSOnline

As you can see I have the original release of the MSOnline PowerShell module installed that does not support modern authentication and thus caused authentication failure for admin accounts with MFA enabled. To see what modules are available to download from the PowerShell gallery, run the following command.

 C:\> Find-Module -Name MSOnline

Version     Name      Repository   Description
-------     ----      ----------   -----------
1.1.183.17  MSOnline  PSGallery    Microsoft Azure Active Directory Module

From this output, we can see version 1.1.183.17 is is available that’s the most recent version of PowerShell module at the time of this blog post writing. Version 1.1 does support modern authentication.

Version 1.0 of MSOnline module was delivered as MSI installer to be downloaded and installed on machines. In order for us to install the latest version via Windows PowerShell, we first need to remove version 1.0 from Control panel. To remove version 1.0, go to start menu > Control Panel > Programs and Feature. From the list, uninstall “Windows Azure Active Directory Module for PowerShell“.

Once the 1.0 version is removed, go back to your PowerShell and run the following cmdlet.

C:\> Install-Module -Name MSOnline

Connect-MsolService Authentication Failure with MFA enabledWhen you are installing the module, make sure you are running the powershell as admin.

Once the updated module is installed, you will need to close and reopen PowerShell window. With a new PowerShell window open, run the Connect-MsolService cmdlet. This time you will see a new modern authentication prompt that will let you go thorugh MFA authentication process without any issues.Connect-MsolService Authentication Failure with MFA enabled