Problem
You attempt to use PowerShell to connect to MSOnline via the cmdlet Connect-MsolService but it fails and displays the following message:
PS C:\> Connect-MsolService Connect-MsolService : This account is blocked. Contact your Tenant administrator.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : 0x80048823,Microsoft.Online.Administration.Automation.ConnectMsolService
PS C:\>
Your environment has MFA enabled and you notice that the authentication prompt you receive when you execute Connect-MsolService displays the legacy login and not the modern authentication prompt:
… which leads to the MFA prompt to not be displayed.
You review the installed Windows Azure Active Directory Module for Windows PowerShell and determine that it is at the older 1.0.0 version:
You proceed to use the Install-Module -Name MSOnline cmdlet to upgrade the module but receive the following error indicating version 1.0 is already installed and to use the force switch for a side-by-side install:
PS C:\> Install-Module -Name MSOnline
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
WARNING: Version '1.0' of module 'MSOnline' is already installed at
'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSOnline'. To install version '1.1.183.57', run Install-Module and
add the -Force parameter, this command will install version '1.1.183.57' in side-by-side with version '1.0'.
PS C:\>
Attempting to use the force switch will continue to fail:
PS C:\> Install-Module -Name MSOnline -force PackageManagement\Install-Package : The following commands are already available on this system:'Add-MsolAdministrative
UnitMember,Add-MsolForeignGroupToRole,Add-MsolGroupMember,Add-MsolRoleMember,Add-MsolScopedRoleMember,Confirm-MsolDomai
n,Confirm-MsolEmailVerifiedDomain,Connect-MsolService,Convert-MsolFederatedUser,Get-MsolAccountSku,Get-MsolAdministrati
veUnit,Get-MsolAdministrativeUnitMember,Get-MsolCompanyInformation,Get-MsolContact,Get-MsolDirSyncConfiguration,Get-Mso
lDirSyncFeatures,Get-MsolDirSyncProvisioningError,Get-MsolDomain,Get-MsolDomainFederationSettings,Get-MsolDomainVerific
ationDns,Get-MsolGroup,Get-MsolGroupMember,Get-MsolHasObjectsWithDirSyncProvisioningErrors,Get-MsolPartnerContract,Get-
MsolPartnerInformation,Get-MsolPasswordPolicy,Get-MsolRole,Get-MsolRoleMember,Get-MsolScopedRoleMember,Get-MsolServiceP
rincipal,Get-MsolServicePrincipalCredential,Get-MsolSubscription,Get-MsolUser,Get-MsolUserByStrongAuthentication,Get-Ms
olUserRole,New-MsolAdministrativeUnit,New-MsolDomain,New-MsolGroup,New-MsolLicenseOptions,New-MsolServicePrincipal,New-
MsolServicePrincipalAddresses,New-MsolServicePrincipalCredential,New-MsolUser,New-MsolWellKnownGroup,Redo-MsolProvision
Contact,Redo-MsolProvisionGroup,Redo-MsolProvisionUser,Remove-MsolAdministrativeUnit,Remove-MsolAdministrativeUnitMembe
r,Remove-MsolApplicationPassword,Remove-MsolContact,Remove-MsolDomain,Remove-MsolForeignGroupFromRole,Remove-MsolGroup,
Remove-MsolGroupMember,Remove-MsolRoleMember,Remove-MsolScopedRoleMember,Remove-MsolServicePrincipal,Remove-MsolService
PrincipalCredential,Remove-MsolUser,Reset-MsolStrongAuthenticationMethodByUpn,Restore-MsolUser,Set-MsolAdministrativeUn
it,Set-MsolCompanyContactInformation,Set-MsolCompanySecurityComplianceContactInformation,Set-MsolCompanySettings,Set-Ms
olDirSyncConfiguration,Set-MsolDirSyncEnabled,Set-MsolDirSyncFeature,Set-MsolDomain,Set-MsolDomainAuthentication,Set-Ms
olDomainFederationSettings,Set-MsolGroup,Set-MsolPartnerInformation,Set-MsolPasswordPolicy,Set-MsolServicePrincipal,Set
-MsolUser,Set-MsolUserLicense,Set-MsolUserPassword,Set-MsolUserPrincipalName'. This module 'MSOnline' may override the
existing commands. If you still want to install this module 'MSOnline', use -AllowClobber parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package],
Exception
+ FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.Pack
ageManagement.Cmdlets.InstallPackagePS C:\>
Solution
The scenario outlined above contains two issues that are dependent of each other:
- The MSOnline version 1.0 does not prompt us with MFA and as this is required, the login process fails and we are given the This account is blocked. Contact your Tenant administrator. message.
- Attempting to update MSOnline from 1.0 to the latest 1.1.183.57 with the force switch fails
Issue #1, where the legacy MSOnline module is unable to prompt for MFA, will be resolved once we are able to update it to the latest version. To correct the issue, proceed by first uninstalling MSOnline version 1.0 from Programs and Features:
Then install the latest MSOnline with the Install-Module -Name MSOnline cmdlet:
PS C:\> Install-Module -Name MSOnline
Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y PS C:\>
Use the Get-Module cmdlet to verify that the latest version has been installed:
Proceeding to execute the Connect-MsolService will now bring up the modern authentication prompt allowing you to complete the MFA authentication:
No comments:
Post a Comment