MFA Error & New Issues

[kralPT]

Been using PnP.Powershell in Azure Runbooks to manipulate term store for over a year.

Over the past week, all my runbooks stopped working due to the same error, that seems like it could be fixed by a simple "Connect-PnPOnline" on the cloud shell.

All scripts throw the following error:

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '########-####-####-####-000000000000'. Trace ID: <trace id ... . . . .> Correlation ID: <corr id . . ... . . .> Timestamp: 2021-10-25 05:43:17Z

I've gone to the Azure cloud shell and run "Connect-SPOService" it returns the following error:

Connect-SPOService: The term 'Connect-SPOService' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Then of course I try "Connect-PnPOnline" it returns this error:

Connect-PnPOnline: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '########-####-####-####-000000000000'. Trace ID: <trace id . . . . .... . .> Correlation ID: <corr. id . .. . . .> Timestamp: 2021-10-25 05:23:44Z

I've upgraded to PnP.Powershell 1.8 on both the cloud shell and in Azure SPO Automation Modules.

Any ideas?

I found this, which doesn't have a date so I'm not sure if this is new or not
https://pnp.github.io/powershell/articles/upgrading.html#:~:text=Upgrading%20from%20the%20Legacy%20version%20of%20PnP%20PowerShell.,the%20new%20module%3A%20Install-Module%20-Name%20%22PnP.PowerShell%22%20Setup%20authentication.

When I run
Register-PnPManagementShellAccess
on my cloud shell in azure it just hangs...

[AndersRask]

Could you share the code you use to connect? If you are using credentials (you really shouldn’t) then maybe your admin have enabled Multi Factor authentication. If you used the RunAsAccount service principal created with your Automation account, do notice that the certificates normally expire after a year. It does not look like that is the issue though, with the error you describe. Kind regards Anders Ras Fra: kralPT ***@***.***> Sendt: Monday, 25 October 2021 07.58 Til: pnp/powershell ***@***.***> Cc: Subscribed ***@***.***> Emne: [pnp/powershell] MFA Error & New Issues (Discussion #1293) Been using PnP.Powershell in Azure Runbooks to manipulate term store for over a year. Over the past week, all my runbooks stopped working due to the same error, that seems like it could be fixed by a simple "Connect-PnPOnline" on the cloud shell. All scripts throw the following error: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0ff1-ce00-000000000000'. Trace ID: 382a6d9c-2880-44cb-95be-93eb998c2501 Correlation ID: 67bb61b9-8895-4a07-8db2-983c7716ae12 Timestamp: 2021-10-25 05:43:17Z I've gone to the Azure cloud shell and run "Connect-SPOService" it returns the following error: Connect-SPOService: The term 'Connect-SPOService' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Then of course I try "Coonect-PnPOnline" it returns this error: Connect-PnPOnline: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '########-####-####-####-000000000000'. Trace ID: <trace id . . . . .... . .> Correlation ID: <corr. id . .. . . .> Timestamp: 2021-10-25 05:23:44Z I've upgraded to PnP.Powershell 1.8 on both the cloud shell and in Azure SPO Automation Modules. Any ideas? I found this, which doesn't have a date so I'm not sure if this is new or not https://pnp.github.io/powershell/articles/upgrading.html#:~:text=Upgrading%20from%20the%20Legacy%20version%20of%20PnP%20PowerShell.,the%20new%20module%3A%20Install-Module%20-Name%20%22PnP.PowerShell%22%20Setup%20authentication. When I run Register-PnPManagementShellAccess on my cloud shell in azure it just hangs... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#1293>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAMTDTUJPKIOEUPZTPUF43DUITWX7ANCNFSM5GUM7OQA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[kralPT]

@AndersRask Thank you for your insight.

Here is the simple script I'm using:
`$myCred = Get-AutomationPSCredential -Name "SPO Admin Cred"

Connect-PnPOnline -Url "https://tenantname-admin.sharepoint.com" -Credential $myCred`

What do you mean by "using creds...shouldn't"? I'm not writing the user/pwd into the code, I'm using SPO Creds contained in the Credentials of Azure Automation account. I believe that is the preferred way, please correct me if I'm wrong.

I changed this account's pwd a few times over the year, and when I did that I'd run Connect-SPOService from my Azure cloudshell and it would pop an MFA challenge and all would be well. Not this time.

Thanks again.

[AndersRask]

Hi so if I understand correctly you do not get MFA prompt if you use it from cloud shell or other interactive login? it may be because your admin have disabled legacy authentication then - though this is usually combined with setting up MFA. This is part of why logging in with credentials instead of service principals or managed identity should be the preferred way depending on what you log into from the runbook. The easiest way to find out what causes you to not be able to log in is to check the Sign In log in AAD for the user in question. I recommend you use Managed Identity, App-Only Principal or App Registration with certificate or secret for a more secure login for your automation needs. Be aware that secrets and certificates need to be renewed every year (or less depending on how you create them) kind regards Anders

…

________________________________ From: kralPT ***@***.***> Sent: 25 October 2021 20:28 To: pnp/powershell ***@***.***> Cc: Anders Rask ***@***.***>; Mention ***@***.***> Subject: Re: [pnp/powershell] MFA Error & New Issues (Discussion #1293) @AndersRask<https://github.com/AndersRask> Thank you for your insight. Here is the simple script I'm using: $myCred = Get-AutomationPSCredential -Name "SPO Admin Cred" Connect-PnPOnline -Url "https://tenantname-admin.sharepoint.com" -Credential $myCred What do you mean by "using creds...shouldn't"? I'm not writing the user/pwd into the code, I'm using SPO Creds contained in the Credentials of Azure Automation account. I believe that is the preferred way, please correct me if I'm wrong. I changed this account's pwd a few times over the year, and when I did that I'd run Connect-SPOService from my Azure cloudshell and it would pop an MFA challenge and all would be well. Not this time. Thanks again. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1293 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAMTDTVLRWC25KCS2JN2E2LUIWOUTANCNFSM5GUM7OQA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.