Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user

All,

Today, in this article we will discuss how to connect to SharePoint online site through an account for which Multi-Factor authentication is enabled. We will also discuss one of the exception which we got.

Background: We have our SharePoint online site. For one of our requirement we need to write tool. So we decided to go with CSOM (Client Side Object Model) approach through console application. So we decided to go with CSOM approach through console application – “The sign-in name or password does not match one in the Microsoft account system.

Following is our normal code to connect the SharePoint online site through CSOM

ClientContext context = new ClientContext("<Site URL>");
string pw = "password";

//Credentials
SecureString password = new SecureString();
foreach (char c in pw.ToCharArray()){ 
          password.AppendChar(c);
}
SharePointOnlineCredentials spocr = 
    new SharePointOnlineCredentials
        ("username@domain.onmicrosoft.com", password);
context.Credentials = spocr;

// The SharePoint web at the URL.
Web web = context.Web;
// We want to retrieve the web's title and description.
context.Load(web, w => w.Title, w => w.Description);
// Execute the query to server.
context.ExecuteQuery();

 

But we were getting following error –

The sign-in name or password does not match one in the 
Microsoft account system.$exception - {"The sign-in name or password does not match 
one in the Microsoft account system."}      
Microsoft.SharePoint.Client.IdcrlException

ErrorCode - 2147186655
HResult - 2147186655
Message - "The sign-in name or password does not match 
one in the Microsoft account system."
Source - "Microsoft.SharePoint.Client.Runtime"
stacktrace -
  at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth
.GetServiceToken
(String securityXml, String serviceTarget, String servicePolicy)

   at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth
.GetServiceToken
(String username, String password, String serviceTarget, 
String servicePolicy)

   at Microsoft.SharePoint.Client.Idcrl.
SharePointOnlineAuthenticationProvider.
GetAuthenticationCookie(Uri url, String username, SecureString password, 
Boolean alwaysThrowOnFailure, EventHandler`1 executingWebRequest)

   at Microsoft.SharePoint.Client.SharePointOnlineCredentials.
GetAuthenticationCookie(Uri url, Boolean refresh, 
Boolean alwaysThrowOnFailure)

   at Microsoft.SharePoint.Client.ClientRuntimeContext.
SetupRequestCredential
(ClientRuntimeContext context, HttpWebRequest request)

   at Microsoft.SharePoint.Client.SPWebRequestExecutor
.GetRequestStream()

   at Microsoft.SharePoint.Client.ClientContext
.GetFormDigestInfoPrivate()

   at Microsoft.SharePoint.Client.ClientContext
.EnsureFormDigest()

   at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
CSOM exception while connecting with account where MFA enabled
Figure 1 : Exception while connection to SharePoint online with an account MFA enabled

We verified our user names and password and seems to be ok. Also previously same code used to work. We were wondering why this is happening. As usual, after googling a bit found one nice article – http://sharepointconnoisseur.blogspot.in/2015/09/how-to-resolve-error.html and then we got clue from above article. We had recently enabled Multi-Factor Authentication on our Office 365 site. Each user not only need to enter their credentials but need to enter the code from authenticator app. This is the main reason the above sample code is not working. It was throwing an above exception.

Approach to connect SharePoint online through CSOM when Multi-Factor Authentication is enabled:

We have to use PnP Core library, if it is not installed on your environment then please install it using NuGet manager. In NuGet manager we can search PnP core library with the string “SharePointPnPCoreOnline” as

NuGetmanager - SharePointPnPCoreOnline
Figure 2 : PnP core library in NuGet manager – SharePoint PnPCoreOnline

Once PnP core library installed, we will use following code to connect the SharePoint online in our console application

var authenticationManager = 
new OfficeDevPnP.Core.AuthenticationManager();

ClientContext context = 
authenticationManager.GetWebLoginClientContext("<Site URL>", null);

Web web = context.Web;
User user = web.CurrentUser;
context.Load(web);
context.Load(user);
context.ExecuteQuery();
Console.WriteLine(web.Title);
Console.WriteLine(user.LoginName);
Console.ReadLine();

When we run the application, prompt will be asked to enter the credentials as

prompt to enter the credentials
Figure 3 : Prompt to enter the credentials to connect SharePoint online when MFA enabled

Once we entered the credentials, next prompt will be for entering the code from authenticator app as

prompt to enter the code
Figure 4 : Prompt for entering code from Authenticator app to connect SharePoint online when MFA enabled

Once we enter the code from our authenticator app, we will get connected to SharePoint online.

In this way we will connect to SharePoint online when Multi-Factor Authentication (MFA) is enabled.

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.

Stay tuned on Knowledge-Junction, will come up with more such articles.

Thanks for reading 🙂

18 thoughts on “Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user

    1. Hi, yes currently in example in blog is specified like that way. But we can read the user details from app.config file as well.

      But I would like highlight one more thing is, it requires me verification code, so if I want to schedule something then it is difficult. Better options is to run the job on be half app either SharePoint hosted app or Azure App.

  1. Hi,

    I found your article as I was searching for a solution to make use of the 2FA with C#.
    The login works like a charm with the PnP library.

    Now, I would like to logout. I have not found any possibility to logout again. Can anybody help please?

      1. Right, I can’t find a method either. So, I was thinking about deleting the cookies in the CookieContainer, that the PnP library introduced. But after restarting the app, the cookies were back.
        I tried calling the logout url https://login.microsoftonline.com/common/oauth2/logout, but I think I called it in the wrong context. Can you think about any workaround? It feels a bit weird, that there is no possibility for logout.

  2. Hello Prasham,
    Thanks for steps.

    I followed you steps but on authManager.GetWebLoginClientContext(siteUrl,null); I am getting “Error CS0012 The type ‘Icon’ is defined in an assembly that is not referenced.You must add a reference to assembly ‘System.Drawing.Common, Version=4.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51’.” Any idea to fix this?

    If I install System.Drawing.Common package from NuGet I am getting “Could not load file or assembly ‘System.Windows.Forms, Version=4.0.0.0, Culture=neutral” this error.”

    I am using console app project with VS 2019 Thanks.

    1. Hi Aniket, I also faced error for “System.Drawing.Common” but after installing it using Nuget it worked for me.

      Have you tried by installing “System.Windwos.Forms”. If not I would say please try once. Please share the result.

  3. verified method for logout for sharepoint online: I haven’t found anything on the internet.CSOM and GITHUB: It seems that all of this is running via AZURE active directory AD. I found out a workaround.
    If you change the password under Account Information, then it takes a while. After that, you have to authorize yourself with MFA.
    This applies to the browsers as well as to the CSOM application.

    If someone has something so that you can reset the MFA (keep login) using CSOM code! Thank you very much!

This site uses Akismet to reduce spam. Learn how your comment data is processed.