SOLVED

Using Connect-SPOService in Azure Runbooks with MFA Enabled Account

Iron Contributor

Hi,

I'm trying to move my SPO Admin scripts to Azure Runbooks. My Admin Account is MFA enabled. When I  run the commands:

$creds=Get-AutomationPSCredential -Name 'MyCredentials'
Connect-SPOService -Url "$adminUrl" --Credential $creds
 
I get the error:
Connect-SPOService : A command that prompts the user failed because the host program or the command type does not 
support user interaction. The host was attempting to request confirmation with the following message: Enter your 
credentials.
Is it possible to use Connect-SPOService in Azure Runbooks with MFA Enabled Accounts?
8 Replies
best response confirmed by Beau Cameron (MVP)
Solution

Hi @Russell Gove, no you can't use an MFA account when doing this level of automation unfortunately as the usual behaviour is to open a popup to request the authentication. There are a couple of options which you have available to you:

 

1. Use a "service account" which doesn't have MFA (this is the easiest way, just ensure you have a strong password on the account)

2. Connect using App ID and Secret

 

I hope that helps

@Matt Weston Agreed. I prefer #2 as it's a more granular approach to permissions than re-using service accounts for multiple things in your environment.

@Beau Cameron Thanks for the info. So I created an app ID and secret, and then created a new credentials in my Azure Automation account (called runbooksappidandsecret) using the app id and secret.

 

Then I try to use that credential in my script:

param
(
[Parameter(Mandatory=$true)]
[String] $SitePath
)
$creds=Get-AutomationPSCredential -Name 'runbooksappidandsecret'
$adminUrl = Get-AutomationVariable -Name 'AdminUrl'
Write-Output "Admin Url is $adminUrl"
Connect-SPOService -Url "$adminUrl" -Credential $creds
Write-Output "Connected"
 
This gives me an error:
Connect-SPOService : The 'username' argument is invalid.
At line:9 char:1
+ Connect-SPOService -Url "$adminUrl" -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService
 

 

@Russell Gove My apologies as I wasn't fully thinking in this regard. SPO Commandlets do not support app only credentials... I forget because I only use the PnP Commandlets (as they have more features than the SPO commandlet). 

@Russell Gove 

 

I am having the same problem but I am actually trying to access PNP Cmdlts. I'm fairly new so I am curious on the process of " So I created an app ID and secret, and then created a new credentials in my Azure Automation account (called runbooksappidandsecret) using the app id and secret." 

 

Could you tell me the process to get to this point? 

 

Many thanks

Rob 

@Beau Cameron  How do you connect to PnP using the App ID and Secret. I have created the App and secret but I am stuck at that point... Your help would be hugely appreciated 

@RobOnyxPublishing All of the options for connecting via PnP PowerShell can be found at https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline 

 

The Client Secret option is Example #3 on the page. Microsoft's recommendation for the most secure method is to use a Certificate (Examples #6-8, but I prefer #7). It's a few extra steps to create and attach the Certificate to the App ID, but just as simple as the Client Secret approach after the initial setup, IMO.  There is a link under the examples that shows all the steps to set it up.

@RobOnyxPublishing - I have created a while ago a sample for the PnP PowerShell with scripts to set this up using App Only, Azure AD App, and Azure Automation - 

https://github.com/pnp/powershell/tree/dev/samples/Connect.AzureAutomation

 

hope it helps. 

1 best response

Accepted Solutions
best response confirmed by Beau Cameron (MVP)
Solution

Hi @Russell Gove, no you can't use an MFA account when doing this level of automation unfortunately as the usual behaviour is to open a popup to request the authentication. There are a couple of options which you have available to you:

 

1. Use a "service account" which doesn't have MFA (this is the easiest way, just ensure you have a strong password on the account)

2. Connect using App ID and Secret

 

I hope that helps

View solution in original post