Authenticating SharePoint with Multi Factor Authentication using PnP PowerShell

SharePoint PnP PowerShell is super helpful when you have a schedule jobs running. You just need to create a package and schedule it in your jobs.

But the issue comes when you have Multi-factor authentication. With Multi-factor authentication, you would need an attended access which is impossible for scheduled PowerShell execution.

We do have details in the PnP PowerShell App Permission article. But since it did not cover the complete approach, I though I would jot it down.

With that in place the solution would be to authenticate using Azure AD App authentication mechanism. We had initiate an issue in GitHub and got response from PnP Legend Erwin Van Huen that Add-In method is recommended. I had to spent some time myself for that to completed. So I thought I would jot the steps which I had followed.

Please keep in mind the pre-requisites for the below approach

  • PnP PowerShell in your machine
  • SharePoint Online
  • Azure AD Management Permission
    • Since you are going to create an Application in Azure AD, you would need the permission

 Steps are as below.

Generate Certificate

First step is to generate certificate in the machine where your script is going to reside.

Execute the following script

$CommonName = "SP Online PowerShell Authentication"
$OrganizationName = "AUM INC."
$CertificatePath = "C:\PowerShellScript\Certifate\\PnPPSSPACerti.PFX"

$AuthenticatorCertificate = New-PnPAzureCertificate -CommonName $CommonName -Organization $OrganizationName  -out $CertificatePath

Write-Host $AuthenticatorCertificate.KeyCredentials


The above script will generate the PFX file in the location. It will show something like the below.

{
    "customKeyIdentifier": "1ul973dyLaLHe2M0K356uYk9Eus=",
    "keyId": "a838805d-b1a4-4c8f-83ee-0aaeecb92619",
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "value":  "MIIDCjCCAfKgAwIBAgIQF3AMbha58opN0NiFRYUuPDANBgkqhkiG9w0BAQUFADBBMSwwKgYDVQQDEyNTUCBPbmxpbmUgUG93ZXJTaGVsbCBBdXRoZW50aWNhdGlvbjERMA8GA1UEChMIQVVNIElOQy4wHhcNMTkwMTEwMTgzMDAwWhcNMjkwMTEwMTgzMDAwWjBBMSw
wKgYDVQQDEyNTUCBPbmxpbmUgUG93ZXJTaGVsbCBBdXRoZW50aWNhdGlvbjERMA8GA1UEChMIQVVNIElOQy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDOcgMy2fEbvMTq3yIcF5KyMsq9Bqimu2pbfKYW7UKxNV/NWCHrEwg1WFYwwZqsinvwMG+ZX9luIHMj5euMz5QP
08w9H02mJRVj5tQNf0sFfrYm3k/pMbAJp/BuEmpj5TSWHJn82yjiM72ESDyH3gYSc5dlzFUZWAEcSLxyxrUnTmiFKcUjqFSG6dQx/7iOLp/C0tRfTITfc4p2/tgOPY/j+CkUfndZOraWNcgaq14fC0DGONFPb13FUnhyEGKk+Ag8SS+BPz1FJcy1Ux4s7JqhQrSetOX+KePSYEUdYQlDP6
57oSTRuuge1NJaPK/hCsSEM6dyiKN5KUFsHWYL119AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIivN7fF8Qb9zx/69kQ8svqEImgVErp9ESmn93Fu5sbB4qtP0i71CicMOCO9j6A2zcBbmLq/fI4s3jeRy5TgSh+plcH4WNnXxkQ2MQ3rq17yXAgOZpVilhcWIqt+omt8K+IbvfEfrOIuj
9ant9fIHt9Jtfb4ofNhlE9FAwmcG4Hma6uDksVoXPlMh46VHqcKN4H2Zk91nCoamvEumKH6No8fv0NckQLx5KCClBFVP9IEFOnnCj1VVLrhf1vO5oDBATDj5Iw8xY3eNdrex0GQBTDGu/YxaTkC1KAUrKiki0R2h66NyTLsvp1YUvfhccPEBlu16Mi0li9UPhUp99Fr0NI="
}

Important things to note


  1. Please note down the certificate path since we need during PowerShell Authentication
  2. Please copy the KeyCredential which will be displayed after the certificate generation script. We will need that in the next step

Create AD Application in Azure

Create Application

  • Go to Azure Portal
  • Click Active Directory


Configure Manifest File

  • Click on the application which you created
  • Click on Manifest which will open an editor
  • Add the KeyCredential copied from Step 1 in the section and after adding, it looks something like below.
  • Please make sure there are not pasting errors

  • Save the Manifest File
  • Copy the Application ID of the Azure Ad Application

Give API Permission

Now we have the application, we need to make sure we are giving the permission to SharePoint API, for that, follow the steps below


  • Click the Azure AD App which you created in above step
    • Please click on App Registrations (Preview)  which has better features that the classic Azure AD Application
  • Click API Permission
  • Click Add Permission
  • Click Application Permission
  • Then Click ReadWriteAll from the SharePoint Permission
    • In our case, we just need write access. If you need higher permission than that, Click Full Control

  • Once the changes are saved, we need to Grant Consent for the application
  • This step ensures the needed consent is given for the API access.


  • Once it is saved, you will have the consent granted

Connect to SharePoint

The above concludes the pre-requisite setting and we are good to connect to SharePoint Online using PnP PowerShell

Following are the codes which are needed to connect

$SPOnlineTenant = "contoso.onmicrosoft.com"
$ClientID = "187d3a48-668c-4e3c-b723-750b9330c9b3" #ClientID of Azure AD Application
$SiteURL = https://contoso.sharepoint.com/sites/AUMRnD/PS

Connect-PnPOnline -CertificatePath $CertificatePath -Tenant $SPOnlineTenant -ClientId $ClientID -Url $SiteURL


$ListName = "Authenticator"

Add-PnPListItem -List $ListName -Values @{"Title" = "Adding items from AZure AD Authentication";}


This will add simple item to the list. And BINGO, we are ready for the script execution even though your tenant has multi factor authentication

Comments

Popular posts from this blog

Deploying App in SharePoint Online - Sideloading of apps is not enabled on this site.

Resource file not found for SharePoint Application