SharePoint Online Management Shell & Forcing Modern Authentication

  • Article

I recently worked with a customer that had a unique ADFS setup within their organization. The organization had added an ADFS Claim rule to block legacy authentication requests if they did not originate from an expected IP address range. After doing so Connect-SPOService still worked however, when saving credentials to a variable using Get-Credential then passing to Connect-SPOService it would fail.

When using Connect-SPOService by itself, it will prompt for credentials and you are able to login successfully. The moment you assign your credentials to a variable using Get-Credential then pass that variable to Connect-SPOService you will receive an error message saying: The partner returned a bad sign-in name or password error.

Remember, not everyone will have this issue. This has to do with the unique ADFS setup that I talked about in the opening paragraph of this Blog post. You may ask, why don't I just authenticate using Connect-SPOService by itself without saving my credentials to a variable? The answer is that if I want to re-use these credentials later in my PowerShell script, I will be unable to do so without the script stopping until I enter my credentials again as they are not assigned to a variable.

Below are the steps that work:

 Connect-SPOService -Url https://contoso-admin.sharepoint.com

Below are the steps that do not work:

 $creds = Get-Credential
Connect-SPOService -Url https://contoso-admin.sharepoint.com -Credential $creds
Connect-SPOService : The partner returned a bad sign-in name or password error. For more information, see Federation
Error-handling Scenarios.
At line:1 char:1
+ Connect-SPOService -Url https://contoso-admin.sharepoint.com -Credenti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [Connect-SPOService], IdcrlException
 + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.Connec
 tSPOService

The workaround that we found was to add a registry key on the client computer that is using the SharePoint Online Management Shell. Once we add the registry key it forced Modern Authentication and we were able to get this scenario to work. Below is the registry key:

 HKEY_CURRENT_USER\Software\Microsoft\SPO\CMDLETS]
"ForceOAuth"=dword:00000001

Now when we store our credentials in a variable and pass that variable to Connect-SPOService it works. Please keep in mind that this post was created in October of 2017 and may no longer be relevant in future releases in the SharePoint Online Management Shell. Also, always be careful when modifying the registry and take a backup before doing so.