Connect-MsolService Authentication Failure with MFA enabled
You might have encountered an error message when you attempt to connect with Office 365 using PowerShell for day to day admin operations with MFA enabled privileged account. When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy authentication prompt instead of modern authentication prompt. Legacy prompt will fail authentication request as it does not support modern authentication and requires either MFA disabled or application password. This incorrect prompt is due to older version of MSOnline PowerShell module being installed on the machine.
Legacy prompt for authentication will result in following authentication error even though you have entered the correct credentials for your admin account.
C:\> Connect-MsolService Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. At line:1 char:1 Connect-MsolService ~~~~~~~~~~~~~~~~~~~ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService
To fix this issue, you need to ensure you have the latest version installed for MSOnline module.
Install MSOnline Latest Module for PowerShell
To determine what version of the MSOnline module is installed on your machine, run the following:
C:\> Get-Module -Name MSOnline
C:\> Get-Module -Name MSOnline ModuleType Version Name ---------- ------- ---- Manifest 1.0 MSOnline
As you can see I have the original release of the MSOnline PowerShell module installed that does not support modern authentication and thus caused authentication failure for admin accounts with MFA enabled. To see what modules are available to download from the PowerShell gallery, run the following command.
C:\> Find-Module -Name MSOnline Version Name Repository Description ------- ---- ---------- ----------- 18.104.22.168 MSOnline PSGallery Microsoft Azure Active Directory Module
From this output, we can see version 22.214.171.124 is is available that’s the most recent version of PowerShell module at the time of this blog post writing. Version 1.1 does support modern authentication.
Version 1.0 of MSOnline module was delivered as MSI installer to be downloaded and installed on machines. In order for us to install the latest version via Windows PowerShell, we first need to remove version 1.0 from Control panel. To remove version 1.0, go to start menu > Control Panel > Programs and Feature. From the list, uninstall “Windows Azure Active Directory Module for PowerShell“.
Once the 1.0 version is removed, go back to your PowerShell and run the following cmdlet.
C:\> Install-Module -Name MSOnline
Once the updated module is installed, you will need to close and reopen PowerShell window. With a new PowerShell window open, run the Connect-MsolService cmdlet. This time you will see a new modern authentication prompt that will let you go thorugh MFA authentication process without any issues.