Forum Discussion

Russell Gove's avatar
Russell Gove
Iron Contributor
May 10, 2019

Using Connect-SPOService in Azure Runbooks with MFA Enabled Account

Hi,

I'm trying to move my SPO Admin scripts to Azure Runbooks. My Admin Account is MFA enabled. When I  run the commands:

$creds=Get-AutomationPSCredential -Name 'MyCredentials'
Connect-SPOService -Url "$adminUrl" --Credential $creds
 
I get the error:
Connect-SPOService : A command that prompts the user failed because the host program or the command type does not 
support user interaction. The host was attempting to request confirmation with the following message: Enter your 
credentials.
Is it possible to use Connect-SPOService in Azure Runbooks with MFA Enabled Accounts?
  • Matt Weston's avatar
    Matt Weston
    May 13, 2019

    Hi Russell Gove, no you can't use an MFA account when doing this level of automation unfortunately as the usual behaviour is to open a popup to request the authentication. There are a couple of options which you have available to you:

     

    1. Use a "service account" which doesn't have MFA (this is the easiest way, just ensure you have a strong password on the account)

    2. Connect using App ID and Secret

     

    I hope that helps

  • Matt Weston's avatar
    Matt Weston
    Iron Contributor
    May 13, 2019

    Hi Russell Gove, no you can't use an MFA account when doing this level of automation unfortunately as the usual behaviour is to open a popup to request the authentication. There are a couple of options which you have available to you:

     

    1. Use a "service account" which doesn't have MFA (this is the easiest way, just ensure you have a strong password on the account)

    2. Connect using App ID and Secret

     

    I hope that helps

    • Beau Cameron's avatar
      Beau Cameron
      MVP
      May 13, 2019

      Matt Weston Agreed. I prefer #2 as it's a more granular approach to permissions than re-using service accounts for multiple things in your environment.

      • Russell Gove's avatar
        Russell Gove
        Iron Contributor
        May 13, 2019

        Beau Cameron Thanks for the info. So I created an app ID and secret, and then created a new credentials in my Azure Automation account (called runbooksappidandsecret) using the app id and secret.

         

        Then I try to use that credential in my script:

        param
        (
        [Parameter(Mandatory=$true)]
        [String] $SitePath
        )
        $creds=Get-AutomationPSCredential -Name 'runbooksappidandsecret'
        $adminUrl = Get-AutomationVariable -Name 'AdminUrl'
        Write-Output "Admin Url is $adminUrl"
        Connect-SPOService -Url "$adminUrl" -Credential $creds
        Write-Output "Connected"
         
        This gives me an error:
        Connect-SPOService : The 'username' argument is invalid.
At line:9 char:1
+ Connect-SPOService -Url "$adminUrl" -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService
         

         

Resources