SOLVED

Using Connect-SPOService in Azure Runbooks with MFA Enabled Account

%3CLINGO-SUB%20id%3D%22lingo-sub-559941%22%20slang%3D%22en-US%22%3EUsing%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-559941%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20move%20my%20SPO%20Admin%20scripts%20to%20Azure%20Runbooks.%20My%20Admin%20Account%20is%20MFA%20enabled.%20When%20I%26nbsp%3B%20run%20the%20commands%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%24creds%3C%2FSPAN%3E%3CSPAN%3E%3DGet-AutomationPSCredential%20-Name%20%3C%2FSPAN%3E%3CSPAN%3E'MyCredentials'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConnect-SPOService%20-Url%20%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%24adminUrl%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%20--Credential%20%3C%2FSPAN%3E%3CSPAN%3E%24creds%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20get%20the%20error%3A%3C%2FDIV%3E%3CDIV%3E%3CPRE%3E%3CSTRONG%3EConnect-SPOService%20%3A%20A%20command%20that%20prompts%20the%20user%20failed%20because%20the%20host%20program%20or%20the%20command%20type%20does%20not%20%0Asupport%20user%20interaction.%20The%20host%20was%20attempting%20to%20request%20confirmation%20with%20the%20following%20message%3A%20Enter%20your%20%0Acredentials.%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FDIV%3E%3CDIV%3EIs%20it%20possible%20to%20use%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Accounts%3F%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-562562%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-562562%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8901%22%20target%3D%22_blank%22%3E%40Russell%20Gove%3C%2FA%3E%2C%26nbsp%3Bno%20you%20can't%20use%20an%20MFA%20account%20when%20doing%20this%20level%20of%20automation%20unfortunately%20as%20the%20usual%20behaviour%20is%20to%20open%20a%20popup%20to%20request%20the%20authentication.%20There%20are%20a%20couple%20of%20options%20which%20you%20have%20available%20to%20you%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Use%20a%20%22service%20account%22%20which%20doesn't%20have%20MFA%20(this%20is%20the%20easiest%20way%2C%20just%20ensure%20you%20have%20a%20strong%20password%20on%20the%20account)%3C%2FP%3E%3CP%3E2.%20Connect%20using%20App%20ID%20and%20Secret%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20that%20helps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-563366%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177418%22%20target%3D%22_blank%22%3E%40Matt%20Weston%3C%2FA%3E%26nbsp%3BAgreed.%20I%20prefer%20%232%20as%20it's%20a%20more%20granular%20approach%20to%20permissions%20than%20re-using%20service%20accounts%20for%20multiple%20things%20in%20your%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564391%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564391%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39836%22%20target%3D%22_blank%22%3E%40Beau%20Cameron%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20info.%20So%20I%20created%20an%20app%20ID%20and%20secret%2C%20and%20then%20created%20a%20new%20credentials%20in%20my%20Azure%20Automation%20account%20(called%26nbsp%3B%3CSPAN%3Erunbooksappidandsecret)%3C%2FSPAN%3E%26nbsp%3Busing%20the%20app%20id%20and%20secret.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20try%20to%20use%20that%20credential%20in%20my%20script%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Eparam%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%5BParameter(Mandatory%3D%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3CSPAN%3E)%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%5BString%5D%20%3C%2FSPAN%3E%3CSPAN%3E%24SitePath%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24creds%3C%2FSPAN%3E%3CSPAN%3E%3DGet-AutomationPSCredential%20-Name%20%3C%2FSPAN%3E%3CSPAN%3E'runbooksappidandsecret'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24adminUrl%3C%2FSPAN%3E%3CSPAN%3E%20%3D%20Get-AutomationVariable%20-Name%20%3C%2FSPAN%3E%3CSPAN%3E'AdminUrl'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWrite-Output%20%3C%2FSPAN%3E%3CSPAN%3E%22Admin%20Url%20is%20%3C%2FSPAN%3E%3CSPAN%3E%24adminUrl%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConnect-SPOService%20-Url%20%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%24adminUrl%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%20-Credential%20%3C%2FSPAN%3E%3CSPAN%3E%24creds%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWrite-Output%20%3C%2FSPAN%3E%3CSPAN%3E%22Connected%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThis%20gives%20me%20an%20error%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CPRE%3E%3CSTRONG%3EConnect-SPOService%20%3A%20The%20'username'%20argument%20is%20invalid.%0AAt%20line%3A9%20char%3A1%0A%2B%20Connect-SPOService%20-Url%20%22%24adminUrl%22%20-Credential%20%24creds%0A%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%0A%20%20%20%20%2B%20CategoryInfo%20%20%20%20%20%20%20%20%20%20%3A%20NotSpecified%3A%20(%3A)%20%5BConnect-SPOService%5D%2C%20ArgumentException%0A%20%20%20%20%2B%20FullyQualifiedErrorId%20%3A%20System.ArgumentException%2CMicrosoft.Online.SharePoint.PowerShell.ConnectSPOService%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-566276%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Connect-SPOService%20in%20Azure%20Runbooks%20with%20MFA%20Enabled%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-566276%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8901%22%20target%3D%22_blank%22%3E%40Russell%20Gove%3C%2FA%3E%26nbsp%3BMy%20apologies%20as%20I%20wasn't%20fully%20thinking%20in%20this%20regard.%20SPO%20Commandlets%20do%20not%20support%20app%20only%20credentials...%20I%20forget%20because%20I%20only%20use%20the%20PnP%20Commandlets%20(as%20they%20have%20more%20features%20than%20the%20SPO%20commandlet).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi,

I'm trying to move my SPO Admin scripts to Azure Runbooks. My Admin Account is MFA enabled. When I  run the commands:

$creds=Get-AutomationPSCredential -Name 'MyCredentials'
Connect-SPOService -Url "$adminUrl" --Credential $creds
 
I get the error:
Connect-SPOService : A command that prompts the user failed because the host program or the command type does not 
support user interaction. The host was attempting to request confirmation with the following message: Enter your 
credentials.
Is it possible to use Connect-SPOService in Azure Runbooks with MFA Enabled Accounts?
4 Replies
Highlighted
Solution

Hi @Russell Gove, no you can't use an MFA account when doing this level of automation unfortunately as the usual behaviour is to open a popup to request the authentication. There are a couple of options which you have available to you:

 

1. Use a "service account" which doesn't have MFA (this is the easiest way, just ensure you have a strong password on the account)

2. Connect using App ID and Secret

 

I hope that helps

Highlighted

@Matt Weston Agreed. I prefer #2 as it's a more granular approach to permissions than re-using service accounts for multiple things in your environment.

Highlighted

@Beau Cameron Thanks for the info. So I created an app ID and secret, and then created a new credentials in my Azure Automation account (called runbooksappidandsecret) using the app id and secret.

 

Then I try to use that credential in my script:

param
(
[Parameter(Mandatory=$true)]
[String] $SitePath
)
$creds=Get-AutomationPSCredential -Name 'runbooksappidandsecret'
$adminUrl = Get-AutomationVariable -Name 'AdminUrl'
Write-Output "Admin Url is $adminUrl"
Connect-SPOService -Url "$adminUrl" -Credential $creds
Write-Output "Connected"
 
This gives me an error:
Connect-SPOService : The 'username' argument is invalid.
At line:9 char:1
+ Connect-SPOService -Url "$adminUrl" -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-SPOService], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService
 

 

Highlighted

@Russell Gove My apologies as I wasn't fully thinking in this regard. SPO Commandlets do not support app only credentials... I forget because I only use the PnP Commandlets (as they have more features than the SPO commandlet).