Recently I described how to disable Basic Authentication for SharePoint Online.
After disabling basic authentication in SharePoint Connect-SPOService cannot connect to SharePoint Online in the standard configuration.
As an example, Basic Authentication has been deactivated in my SharePoint tenant. Connect-SPOService returns an error.
Sign-in logs from Entra ID show no error during sign-in.
After reactivating Basic Authentication in SharePoint, Connect-SPOService works again.
A check of the sign-in logs shows the cause, Connect-SPOService continues to use Basic Authentication.
GitHub Copilot confirms the situation.
The Connect-SPOService cmdlet by default uses basic authentication, which involves providing a username and password. This method does not support modern authentication features such as multi-factor authentication (MFA) or conditional access policies. If not used with HTTPS, credentials can be intercepted by attackers through man-in-the-middle attacks.
In September 2022, the ModernAuth parameter was added to the Connect-SPOService documentation in a GitHub commit.
ModernAuth
Ensures that SharePoint Online tenant administration cmdlets can connect to the service using modern TLS protocols. To use it you also need to provide the AuthenticationUrl parameter.
Unfortunately, Microsoft has not yet changed the default value for ModernAuth. It is False. Without the explicit addition, Connect-SPOService still connects with Basic Authentication.
I deactivate Basic Authentication in SharePoint Online again.
A new attempt with Modern Authentication.
# PowerShell 5 only
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService `
-Url "https://<Tenantname>-admin.sharepoint.com" `
-Credential <Credentials> `
-ModernAuth $true `
-AuthenticationUrl "https://login.microsoftonline.com/organizations"
The connection is established.
A check of the sign-in logs returns a new result.
- The login is logged as an interactive sign-in.
- The application is “Microsoft SharePoint Online Management Shell”.
- The client app is “Mobile Apps and Desktop clients”.
Mobile Apps and Desktop clients
In Entra ID sign-in logs, the client app “Mobile Apps and Desktop clients” refers to applications that use modern authentication protocols such as OAuth 2.0 and OpenID Connect .
Conclusion for SharePoint administrators
Extend your Connect-SPOService connection method with the two parameters ModernAuth and AuthenticationUrl. This very simple change allows you to use Modern Authentication.
Connect-SPOService does not support a connection method via client ID + certificate. Administrators should use PnP.PowerShell and Connect-PnPOnline for this method.
Microsoft.Online.SharePoint.PowerShell in PowerShell 7
The Microsoft.Online.SharePoint.PowerShell module only supports PowerShell 5.
To use it in PowerShell 7 you have to import it in PowerShell 5 mode.
# With PowerShell 7
Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell
# Optional, to ignore the warnings
Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell -WarningAction SilentlyContinue