Pages

Friday, April 10, 2020

Attempting to connect to MSOnline via Connect-MsolService with MFA enabled fails with: "This account is blocked. Contact your Tenant administrator."

Problem

You attempt to use PowerShell to connect to MSOnline via the cmdlet Connect-MsolService but it fails and displays the following message:

PS C:\> Connect-MsolService Connect-MsolService : This account is blocked. Contact your Tenant administrator.

At line:1 char:1

+ Connect-MsolService

+ ~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException

+ FullyQualifiedErrorId : 0x80048823,Microsoft.Online.Administration.Automation.ConnectMsolService

PS C:\>

image

Your environment has MFA enabled and you notice that the authentication prompt you receive when you execute Connect-MsolService displays the legacy login and not the modern authentication prompt:

image

… which leads to the MFA prompt to not be displayed.

You review the installed Windows Azure Active Directory Module for Windows PowerShell and determine that it is at the older 1.0.0 version:

image

You proceed to use the Install-Module -Name MSOnline cmdlet to upgrade the module but receive the following error indicating version 1.0 is already installed and to use the force switch for a side-by-side install:

PS C:\> Install-Module -Name MSOnline

Untrusted repository

You are installing the modules from an untrusted repository. If you trust this repository, change its

InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from

'PSGallery'?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

WARNING: Version '1.0' of module 'MSOnline' is already installed at

'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSOnline'. To install version '1.1.183.57', run Install-Module and

add the -Force parameter, this command will install version '1.1.183.57' in side-by-side with version '1.0'.

PS C:\>

image

Attempting to use the force switch will continue to fail:

image

PS C:\> Install-Module -Name MSOnline -force PackageManagement\Install-Package : The following commands are already available on this system:'Add-MsolAdministrative

UnitMember,Add-MsolForeignGroupToRole,Add-MsolGroupMember,Add-MsolRoleMember,Add-MsolScopedRoleMember,Confirm-MsolDomai

n,Confirm-MsolEmailVerifiedDomain,Connect-MsolService,Convert-MsolFederatedUser,Get-MsolAccountSku,Get-MsolAdministrati

veUnit,Get-MsolAdministrativeUnitMember,Get-MsolCompanyInformation,Get-MsolContact,Get-MsolDirSyncConfiguration,Get-Mso

lDirSyncFeatures,Get-MsolDirSyncProvisioningError,Get-MsolDomain,Get-MsolDomainFederationSettings,Get-MsolDomainVerific

ationDns,Get-MsolGroup,Get-MsolGroupMember,Get-MsolHasObjectsWithDirSyncProvisioningErrors,Get-MsolPartnerContract,Get-

MsolPartnerInformation,Get-MsolPasswordPolicy,Get-MsolRole,Get-MsolRoleMember,Get-MsolScopedRoleMember,Get-MsolServiceP

rincipal,Get-MsolServicePrincipalCredential,Get-MsolSubscription,Get-MsolUser,Get-MsolUserByStrongAuthentication,Get-Ms

olUserRole,New-MsolAdministrativeUnit,New-MsolDomain,New-MsolGroup,New-MsolLicenseOptions,New-MsolServicePrincipal,New-

MsolServicePrincipalAddresses,New-MsolServicePrincipalCredential,New-MsolUser,New-MsolWellKnownGroup,Redo-MsolProvision

Contact,Redo-MsolProvisionGroup,Redo-MsolProvisionUser,Remove-MsolAdministrativeUnit,Remove-MsolAdministrativeUnitMembe

r,Remove-MsolApplicationPassword,Remove-MsolContact,Remove-MsolDomain,Remove-MsolForeignGroupFromRole,Remove-MsolGroup,

Remove-MsolGroupMember,Remove-MsolRoleMember,Remove-MsolScopedRoleMember,Remove-MsolServicePrincipal,Remove-MsolService

PrincipalCredential,Remove-MsolUser,Reset-MsolStrongAuthenticationMethodByUpn,Restore-MsolUser,Set-MsolAdministrativeUn

it,Set-MsolCompanyContactInformation,Set-MsolCompanySecurityComplianceContactInformation,Set-MsolCompanySettings,Set-Ms

olDirSyncConfiguration,Set-MsolDirSyncEnabled,Set-MsolDirSyncFeature,Set-MsolDomain,Set-MsolDomainAuthentication,Set-Ms

olDomainFederationSettings,Set-MsolGroup,Set-MsolPartnerInformation,Set-MsolPasswordPolicy,Set-MsolServicePrincipal,Set

-MsolUser,Set-MsolUserLicense,Set-MsolUserPassword,Set-MsolUserPrincipalName'. This module 'MSOnline' may override the

existing commands. If you still want to install this module 'MSOnline', use -AllowClobber parameter.

At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21

+ ... $null = PackageManagement\Install-Package @PSBoundParameters

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package],

Exception

+ FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.Pack

ageManagement.Cmdlets.InstallPackagePS C:\>

image

Solution

The scenario outlined above contains two issues that are dependent of each other:

  1. The MSOnline version 1.0 does not prompt us with MFA and as this is required, the login process fails and we are given the This account is blocked. Contact your Tenant administrator. message.
  2. Attempting to update MSOnline from 1.0 to the latest 1.1.183.57 with the force switch fails

Issue #1, where the legacy MSOnline module is unable to prompt for MFA, will be resolved once we are able to update it to the latest version. To correct the issue, proceed by first uninstalling MSOnline version 1.0 from Programs and Features:

image

Then install the latest MSOnline with the Install-Module -Name MSOnline cmdlet:

image

PS C:\> Install-Module -Name MSOnline

Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y PS C:\>

image

Use the Get-Module cmdlet to verify that the latest version has been installed:

image

Proceeding to execute the Connect-MsolService will now bring up the modern authentication prompt allowing you to complete the MFA authentication:

image

image

image 

image

No comments: