Problem with connecting to SharePoint Online in Office 365 with PowerShell, SharePoint Designer and other 3. party tools

You are not any longer able to log into SharePoint using PowerShell, SharePoint Designer and other 3. party tools (ex. ShareGate, SharePoint Search Query Tool etc). The error message states something that you are "Unauthorized" and "…the web site does not support SharePoint Online credentials" even though you username and password is fine.

Example: Error while logging in with PnP PowerShell

Connect-PnPOnline : Cannot contact web site 'https://TENANTID.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.  The response headers are 'X-SharePointHealthScore=0, X-MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.,

Example: Stuck while logging in with SharePoint Designer

Reason

SharePoint Online has a setting named "LegacyAuthProtocolsEnabled" with the purpose "Prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources .".

By default this is allowed in all tenants. But as an administrator it is possible to tighten up the security and disallow us to login with these non-modern approaches.

More details can be found here: https://technet.microsoft.com/en-in/library/fp161390.aspx

Solution

1. Start using modern authentication (recommended)

Check if your application support the use of modern authentication through either WebLogin or using application credentials (ClientId/ClientSecret) authentication. This is advice to be the recommended and a more secure approach.

Not all tools, like SharePoint Designer, supports this modern authentication and if you are required to continue to use these apps further on, you might have to re-enable the support as described in the next point.

2. Re-enable support for legacy apps (temporary fix)

Note: Your company might have performed a security hardening and disabled this by purpose. If so it would not be advisable to continue without verifying the reason for this change.

Using "SharePoint Online Management Shell" login in with "Connect-SPOService".

Connect-SPOService -Url "https://TENANTID-admin.sharepoint.com"

Verify the value of "LegacyAuthProtocolsEnabled".

$TenantSettings = Get-SPOTenant
 
$TenantSettings.LegacyAuthProtocolsEnabled

If this value is "False", then this issue will be solved by setting this to "True".

Set-SPOTenant -LegacyAuthProtocolsEnabled $True

Updating you SharePoint Online tenant settings does not take immediate effect. So you need to while a while, exact how long can be from from minutes to 24 hours with the different settings, before you retry.

Summary

Changing the value of "LegacyAuthProtocolsEnabled" can cause issues for some existing applications. Checking if you can start using more modern authentication options will solve the issue in many apps, but for  some you might still need to keep this support open.