Office 365 Username with App password not working in PowerShell script

%3CLINGO-SUB%20id%3D%22lingo-sub-2226228%22%20slang%3D%22en-US%22%3EOffice%20365%20Username%20with%20App%20password%20not%20working%20in%20PowerShell%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2226228%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20need%20to%20use%20an%20App%20password%20in%20a%20PowerShell%20script%20that%20will%20be%20running%20constantly.%20The%20script%20needs%20to%20monitor%20an%20item%20on%20a%20server%20so%20needs%20to%20be%20running%2024%20hours%20a%20day%2C%207%20days%20a%20week.%20It%20works%20OK%20if%20I%20use%26nbsp%3B%20an%20Office%20365%20user%20account%20that%20has%20MFA%20disabled%20and%20I%20use%20its%20username%20and%20password%2C%20but%20it%20stops%20working%20if%20MFA%20is%20enabled%20and%20I%20use%20an%20App%20Password.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThis%20is%20the%20procedure%20I%20use%20in%20using%20an%20App%20password%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Disable%20MFA%20on%20my%20the%20Office%20365%20user%20account.%3C%2FP%3E%3CP%3E2)%20create%20an%20App%20Password%20for%20the%20user%20account.%3C%2FP%3E%3CP%3E3)%20Run%20the%20credentials%20script%20to%20create%20the%20username%20and%20password%20encrypted%20text%20files%3A%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3CBR%20%2F%3E%24Location%20%3D%20%22.%5C%22%3C%2FP%3E%3CP%3E%24securecred%20%3D%20Get-Credential%3C%2FP%3E%3CP%3E%24securecred.UserName%20%7C%20ConvertTo-SecureString%20-AsPlainText%20-Force%20%7C%20ConvertFrom-SecureString%20%7C%20set-content%20%24Location%22Username.txt%22%3C%2FP%3E%3CP%3E%24securecred.Password%20%7C%20ConvertFrom-SecureString%20%7C%20set-content%20%24Location%22Password.txt%22%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E4)%20Run%20the%20main%20script%20that%20uses%20the%20credentials%20txt%20files%3A%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3CBR%20%2F%3E%23%20additional%20variable%20and%20setup%20code%20above...%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%24username%20%3D%20Get-Content%20%24PassLocation%22Username.txt%22%20%7C%20ConvertTo-SecureString%3CBR%20%2F%3E%24BSTRU%20%3D%20%5BSystem.Runtime.InteropServices.Marshal%5D%3A%3ASecureStringToBSTR(%24username)%3CBR%20%2F%3E%24username%20%3D%20%5BSystem.Runtime.InteropServices.Marshal%5D%3A%3APtrToStringAuto(%24BSTRU)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%24AdminUserName%20%3D%20%24username%3CBR%20%2F%3E%3CSPAN%3E%24SecurePassword%20%3D%20Get-Content%20%24PassLocation%22Password.txt%22%20%7C%20ConvertTo-SecureString%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24Cred%20%3D%20new-object%20-typename%20System.Management.Automation.PSCredential%20-argumentlist%20%24AdminUserName%2C%20%24SecurePassword%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%24AdminSiteURL%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2FmySubscription.sharepoint.com%2Fsites%2FDemo%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FmySubscription.sharepoint.com%2Fsites%2FDemo%2F%3C%2FA%3E%22%3C%2FP%3E%3CP%3EConnect-PnPOnline%20-Url%20%24AdminSiteURL%20-Credentials%20%24Cred%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20additional%20variable%20and%20setup%20code%20below...%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E5)%20Error%20messages%20when%20using%20username%20with%20App%20password%20credentials%3A%3CBR%20%2F%3E---------------------------------%3CBR%20%2F%3E50126%3A%20Error%20validating%20credentials%20due%20to%20invalid%20username%20or%20password.%3CBR%20%2F%3ETrace%20ID%3A%2094e...248618f34a00%3CBR%20%2F%3ECorrelation%20ID%3A%207c7df2...80dcac538d78%3CBR%20%2F%3ETimestamp%3A%202021-03-21%2014%3A09%3A59Z%3CBR%20%2F%3EError%20Connecting%3A%20AADSTS50126%3A%20Error%20validating%20credentials%20due%20to%20invalid%20username%20or%20password.%3CBR%20%2F%3ETrace%20ID%3A%2040337fb4...513e9474900%3CBR%20%2F%3ECorrelation%20ID%3A%2004bb5...cb733d5110f6%3CBR%20%2F%3ETimestamp%3A%202021-03-21%2014%3A10%3A00Z%3CBR%20%2F%3EError%20Connecting%3A%20AADSTS50126%3A%20Error%20validating%20credentials%20due%20to%20invalid%20username%20or%20password.%3CBR%20%2F%3ETrace%20ID%3A%20589e2968cc3c...f5d1c4700%3CBR%20%2F%3E---------------------------------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20the%20main%20script%20is%20OK%20because%20it%20works%20perfectly%20when%20I%20disable%20MFA%20and%20create%20the%20credential%20text%20files%20using%20the%20user%20account%20username%20and%20password.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIs%20using%20a%20username%20and%20App%20Password%20the%20best%20and%20secure%20way%20to%20run%20a%20PowerShell%20script%20that%20needs%20to%20run%20constantly%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20you%20can%20help%3C%2FP%3E%3CP%3EColin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2226228%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi All,

I need to use an App password in a PowerShell script that will be running constantly. The script needs to monitor an item on a server so needs to be running 24 hours a day, 7 days a week. It works OK if I use  an Office 365 user account that has MFA disabled and I use its username and password, but it stops working if MFA is enabled and I use an App Password.

This is the procedure I use in using an App password:

 

1) MFA is enabled on the Office 365 user account.

2) Create an App Password for the user account.

3) Run the credentials script to create the username and password encrypted text files:
#################################################################
$Location = ".\"

$securecred = Get-Credential

$securecred.UserName | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | set-content $Location"Username.txt"

$securecred.Password | ConvertFrom-SecureString | set-content $Location"Password.txt"
#################################################################


4) Run the main script that uses the credentials txt files:
#################################################################
# additional variable and setup code above...

$username = Get-Content $PassLocation"Username.txt" | ConvertTo-SecureString
$BSTRU = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($username)
$username = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTRU)

$AdminUserName = $username
$SecurePassword = Get-Content $PassLocation"Password.txt" | ConvertTo-SecureString

 

$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminUserName, $SecurePassword

$AdminSiteURL = "https://mySubscription.sharepoint.com/sites/Demo/"

Connect-PnPOnline -Url $AdminSiteURL -Credentials $Cred

# additional variable and setup code below...
#################################################################

5) Error messages when using username with App password credentials:
---------------------------------
50126: Error validating credentials due to invalid username or password.
Trace ID: 94e...248618f34a00
Correlation ID: 7c7df2...80dcac538d78
Timestamp: 2021-03-21 14:09:59Z
Error Connecting: AADSTS50126: Error validating credentials due to invalid username or password.
Trace ID: 40337fb4...513e9474900
Correlation ID: 04bb5...cb733d5110f6
Timestamp: 2021-03-21 14:10:00Z
Error Connecting: AADSTS50126: Error validating credentials due to invalid username or password.
Trace ID: 589e2968cc3c...f5d1c4700
---------------------------------

 

I know the main script is OK because it works perfectly when I disable MFA and create the credential text files using the user account username and password.

Is using a username and App Password the best and secure way to run a PowerShell script that needs to run constantly?

 

I hope you can help

Colin

2 Replies
App passwords are not really considered secure, and are thus not available for use with PowerShell.
Well, at lest for most O365 related PowerShell modules, I havent tried PnP.