This afternoon, while working on my upcoming book for the MS-300 exam, I was attempting to sign into SharePoint Online via PowerShell and encountered this moderately cryptic message:
Cannot contact web site 'https://tenant-admin.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'. The response headers are 'X-SharePointHealthScore=7, X-MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+ and+select+the+option+to+login+automatically., SPRequestGuid=0da41d9f-c07d-0000-475a-d8ba3cbd9de9, request-id=0da41d9f-c07d-0000-475a-d8ba3cbd9de9, MS-CV=nx2kDX3AAABHWti6PL2d6Q.0, Strict-Transport-Security=max-age=31536000, SPRequestDuration=65, SPIisLatency=20, MicrosoftSharePointTeamServices=126.96.36.19913, X-Content-Type-Options=nosniff, X-MS-InvokeApp=1; RequireReadOnly, X-MSEdge-Ref=Ref A: C396F4495761409EBD63C56024B3F45C Ref B: CH1EDGE1220 Ref C: 2019-12-02T19:26:24Z, Content-Length=0, Content-Type=text/plain; charset=utf-8, Date=Mon, 02 Dec 2019 19:26:24 GMT, P3P=CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", X-Powered-By=ASP.NET'.
It was displayed in its normal crimson beauty, as you can see below:
I decided to go see what dials I had configured. Turns out, it was not anything in the Azure Portal under Conditional Access. What I did have enabled, however, were a pair of settings when I was testing other application restriction methods, both of which are configured in the SharePoint Online Admin Center (https://tenant-admin.sharepoint.com). The settings were under Access Control | Unmanaged Devices and Access Control | Apps that don’t use modern authentication:
Setting both of those to Allow access enabled me to connect to SharePoint Online via PowerShell after about 30 minutes.
Alternately, if you’re in a rush (and your settings look like mine), you can try skipping the -Credential parameter altogether and wait for the modern authentication web dialog prompt. 😉