SharePoint MFA (multi-factor authentication) enabled site

Previous Top Next


In case that you are using MFA (multi-factor authentication) on your SharePoint (users have to provide username and password but might also, for example, get text message on their phones) please try to use Web Logon authentication mode 



or you could use App-Only authentication:



or configure app passwords (see below). 


How to configure application password?


There are different way to create app password depending on how your SharePoint is configured:


Option 1: 


To be able to use MFA for third party applications you will need to create application password and to do that, when you log to your SharePoint, click on your username and select option My Account where you'll need to go to the Security & Privacy and then to "Create and manage app password" where you can create application password.

URL: https://portal.office.com/account/#security



URL: https://account.activedirectory.com/AppPassword.aspx




Save this password as later when you go to ReplaceMagic you’ll have to use it instead of your normal password.



Option 2 (source: Microsoft, section: Create and delete app passwords from the Additional security verification page):


Go to https://account.activedirectory.windowsazure.com/Proofup.aspx where you should see:



Select Create, type the name of the app that requires the app password, and then select Next.



Copy the password from the Your app password page, and then select Close.



From the App passwords page, make sure your app is listed.



Open the app you created the app password for (for example, Outlook 2010), and then paste the app password when asked for it. You should only have to do this once per app.


How to login when MFA is enabled and you have app password? 


Important: in case that you were in ReplaceMagic when creating app password before you can use it please close ReplaceMagic and start it again!


In ReplaceMagic go to the form where you can add SharePoint site and as a username use your normal username but password has to be app password that you generated in SharePoint:



As Authentication mode try first "Multi-factor authentication (BETA)":



or if that does not work properly then try "SharePoint Online (Office 365)":




In some cases might happen that browser window that will appear when selecting MFA authentication mode is gone without option to enter anything there. In that case it helped us when we in SharePoint Admin under users and Multi-factor authentication we selected:




Btw. same approach is also for other applications if you want to connect them to your SharePoint and you are using MFA.


Source: https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183


In case that connection still does not work most likely legacy authentication mode is disabled so please read further...


Legacy authentication mode: Per default ReplaceMagic is using legacy authentication mode (parameter SharePoint LegacyAuthenticationMode under Configuration => SharePoint) but it might happen that legacy authentication mode cannot be used as it is disabled by your SharePoint administrators. In case that we try to use it and it is disabled we will not be able to upload changed documents.


To check current value of parameter LegacyAuthProtocolsEnabled ask you SharePoint administrators or go to PowerShell command mode (you might need to install it. Download link is : https://www.microsoft.com/download/details.aspx?id=35588) and run code:


Connect-SPOService -Url "https://tenant-admin.sharepoint.com";

$TenantSettings = Get-SPOTenant;

$TenantSettings.LegacyAuthProtocolsEnabled;


After pressing Enter you will see if parameter is set to true or false.

For example, on our SharePoint.Online tenant we have this parameter set to True:


Which means that we are allowing legacy authentication mode.


In case that it is set to False please check that ReplaceMagic parameter "SharePoint LegacyAuthProtocolsEnabled" is also set to False as, like previously written, it might happen that we cannot upload changed documents (Microsoft limitation). Other approaches are to talk to your SharePoint admins to either temporary set this parameter to true or to create policy where user running ReplaceMagic will get exceptional approval to have this parameter set to true.


Approach 1 (change of parameter to true): PowerShell command to change value of LegacyAuthProtocolsEnabled is:


Set-SPOTenant -LegacyAuthProtocolsEnabled $false or 

Set-SPOTenant -LegacyAuthProtocolsEnabled $true


Keep in mind that after you make change of this parameter it might take some time until it is not active (might take from few minutes to few hours) and change will have global effect.


Approach 2 (exceptional policy for ReplaceMagic): More infos how to create exception policy can be found over: https://www.liktorius.com/2019/07/17/prevent-azure-legacy-auth-for-veeam-vbo-365 We tested this approach with our customers and it worked.


Approach 3 - usage of SharePoint App-Only authentication mode. To see how to configured it please read article "Granting access using SharePoint App-Only (use when Legacy Authentication is not allowed)"