SharePoint MFA - Legacy Authentication mode

Previous Top Next

In case that legacy authentication mode is disabled (see below how to check) please try to connect to your SharePoint using Web Logon option.

Legacy authentication mode: Per default ReplaceMagic is using legacy authentication mode (parameter SharePoint LegacyAuthenticationMode under Configuration => SharePoint) but it might happen that legacy authentication mode cannot be used as it is disabled by your SharePoint administrators so parameter "SharePoint Legacy Auth Mode" will not help.

To check current value of parameter LegacyAuthProtocolsEnabled ask you SharePoint administrators or go to PowerShell command mode (you might need to install it. Download link is : and run code:

$login = "YOUR USERNAME";


$pwd = ConvertTo-SecureString $pwd -AsPlainText -Force;

$credentials = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $login,$pwd;

Connect-SPOService -url "" -Credential $credentials;

$TenantSettings = Get-SPOTenant;


After pressing Enter you will see if parameter is set to true or false.

For example, on our SharePoint.Online tenant we have this parameter set to True:

Which means that we are allowing legacy authentication mode.

In case that it is set to False please check that ReplaceMagic parameter "SharePoint LegacyAuthProtocolsEnabled" is also set to False as it might happen that we cannot connect to your SharePoint or upload changed documents (Microsoft limitation). Other approaches are to talk to your SharePoint admins to either temporary set this parameter to true or to create policy where user running ReplaceMagic will get exceptional approval to have this parameter set to true or to use App-Only mode. All there options are described down.

Approach 1 (change of parameter to true): PowerShell command to change value of LegacyAuthProtocolsEnabled is:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false or 

Set-SPOTenant -LegacyAuthProtocolsEnabled $true

Keep in mind that after you make change of this parameter it might take some time until it is not active (might take from few minutes to few hours) and change will have global effect.

Approach 2 (exceptional policy for ReplaceMagic): More infos how to create exception policy can be found over: We tested this approach with our customers and it worked.

Approach 3 - usage of SharePoint App-Only authentication mode. To see how to configured it please read article "Granting access using SharePoint App-Only (use when Legacy Authentication is not allowed)"