Using CSOM To Connect To A SharePoint Site With Multi Factor Authentication Enabled

This blog explains how to connect to a SharePoint site with MFA enabled, using the PnP helper methods and PnP Powershell.

We often write utilities and scripts for performing certain automation and tasks for a SharePoint site.
 
Authenticating a user with standard authentication mechanism is easy. For some tools, they always run with specific credentials (like an account with higher privileges), where the credentials are stored at a central credential manager. And for simpler ones, the usernames and passwords are used directly within a SharePointOnlineCredentials or NetworkCredentials object in CSOM code.
 
This way of authentication doesn’t work if the multi-factor authentication is enabled. So, how do we connect to a SharePoint site with multi-factor authentication enabled? It's SharePoint PnP which makes it happen. Below are some sample snippets.
 

Connecting to a site with MFA using CSOM

 
Below is the sample code using CSOM within a console app. The same can be extended for building Windows Forms or other applications using CSOM.
 
In the OfficeDevPnP.Core namespace, there is an AuthenticationManager class which has many helper methods for creating a SharePointContext object with different authentication types. The method GetWebLoginClientContext(String, Icon) is my favorite method, which works for almost any type of authentication scenario.
 
When we use this method, it opens a pop-up with the standard tenant login page, and users will be prompted for the credentials and challenges for the second-factor authentication. Once the user authenticates themselves, the authentication token is read by the AuthenticationManager and it prepares a ClientContext Object which we can use.
 
Install the ‘SharePointPnPCoreOnline’ NuGet package to the Visual Studio solution which installs the OfficeDevPnP.Core assembly.
 
 
Below is the code snippet to get a client context.
  1. static void Main(string[] args)  
  2. {  
  3.    string siteUrl = "https://<tenant-name>.sharepoint.com/sites/contosoteam";  
  4.    var authManager = new OfficeDevPnP.Core.AuthenticationManager();  
  5.    // This method calls a pop up window with the login page and it also prompts  
  6.    // for the multi factor authentication code.  
  7.    ClientContext ctx = authManager.GetWebLoginClientContext(siteUrl);  
  8.    // The obtained ClientContext object can be used to connect to the SharePoint site.  
  9.    Web web = ctx.Web;  
  10.    ctx.Load(web, w => w.Title);  
  11.    ctx.ExecuteQuery();  
  12.    Console.WriteLine("You have connected to {0} site, with Multi Factor Authentication enabled!!", web.Title);  
  13. }   
When you run this code, it shows the following pop up with the tenant’s login page
 
 
 

Connecting to a site with MFA using PnP PowerShell

 
When using the Connect-PnPOnline cmdlet without any additional authentication parameters, we are prompted for username and password, which will not work if multi-factor authentication is enabled. We can use the following switch to show a web login for authentication which handles MFA.
 
Connect-PnPOnline -Url $siteUrl –UseWebLogin
 
 
Using the helper methods from the OfficeDevPnP.Core and PnP Powershell we can use a standardized solution to show a web login, which not only handles multi-factor authentication but also most of the authentication mechanisms.
 
For tools or scripts which need the user to login for every run, we can use this approach to handle MFA authentication. However, this may not be the right solution for scheduled jobs which shouldn’t/wouldn’t wait for a user to login and continue.