Home > Appendices > What Should I Do If My Organization Uses Multi-Factor Authentication (MFA) in Microsoft 365? (Obsolete)

Export to PDF

What Should I Do If My Organization Uses Multi-Factor Authentication (MFA) in Microsoft 365? (Obsolete)

*Note: The information in this section is only for customers who have configured MFA service account profiles in the AOS classic UI (before the June 2023 release).

If your organization uses multi-factor authentication (MFA) in Microsoft 365, refer to the following information to configure the required settings based on your scenario:

- Microsoft 365 MFA service account profile – If your organization has configured a Microsoft 365 MFA service account profile in the AOS classic UI (before June 2023 release), you can refer to the instructions in the **Edit MFA Service Account Profiles** section below to edit the MFA service account profile. - Microsoft 365 Account Pool – SharePoint Online has a built-in throttling feature that prevents one account from processing several requests simultaneously. To avoid getting throttled or blocked in SharePoint Online, you can configure the account pool in AvePoint Online Services. The account pool contains multiple Microsoft 365 accounts. When configuring the account pool, enable MFA and provide the app passwords of the Microsoft 365 accounts. For more information, refer to [Manage Account Pool (Obsolete)](#missing-link).

Edit MFA Service Account Profiles

Navigate to AvePoint Online Services > Management > Service account, and click the MFA service account profile. On the MFA service account profile detail page, click Edit. Then, refer to the following instructions to edit the MFA service account profile:

  1. Profile Name – Enter a name for the service account profile.

  2. Description – Enter an optional description.

  3. Enable MFA – If you want to keep this MFA service account profile in the classic UI, select the Our organization uses multi-factor authentication checkbox, and refer to the following steps to edit this MFA service account profile.

    Note that MFA service account profiles have the following limitations:

    • The Microsoft 365 MFA service account profile cannot be used to invite Microsoft 365 users/groups as AvePoint Online Services users.

    • If your organization selects Block access for the Apps that don’t use modern authentication setting in the SharePoint admin center, the Microsoft 365 MFA service account profile cannot be used for the Ghost Guest Users rule in Cloud Management Identity Manager.

    • The Microsoft 365 MFA service account profile does not support some features in Cloud Management. For additional details, refer to . You can convert and deselect the checkbox here.

    *Note: If you want to transfer this MFA service account to a common service account profile that can be edited in the AOS new UI, deselect the Our organization uses multi-factor authentication checkbox, and save your edits to this service account profile. Then, you can manage it by referring to instructions in the Manage Service Account Profiles section.

  4. Username – Specify an account with the permissions required by your tenant’s cloud services. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the Required Permissions of Cloud Services section for more information.

    Note the following:

    • AvePoint does not recommend that a personal active user account be used as the service account. We recommend you use a separate service account to manage all administration.

    • With the Enable MFA option selected, you must enter the login ID of a Microsoft 365 Global Administrator account or SharePoint Administrator account.

  5. Password – Enter the app password of the account above. For more information about app passwords, refer to the Microsoft technical article .

  6. Click Validation Test to validate the information above.

    Note the following:

    • When the validation test fails, and the error message indicates that your Microsoft 365 tenant has set access policies or enabled multi-factor authentication (MFA), refer to the Validation Test Troubleshooting section below.

    • As the Microsoft 365 user has multi-factor authentication (MFA) enabled, the user role information cannot be retrieved due to Microsoft API limitations, and the User Role field will be blank.

    • The password is validated via Microsoft 365 API. Due to a Microsoft 365 API limitation, you may encounter the following issue: the password is checked as invalid here, but you can use this password to log into Microsoft 365 successfully. To resolve the issue, you must change your password in Microsoft 365, and then enter the new password here. For details about the password limitations and requirements, refer to Password Limitations and Requirements of Microsoft 365 Accounts.

  7. In Advanced Settings, you need to configure a SharePoint Online Admin Center URL. If your organization uses the default SharePoint Online admin center URL in Microsoft 365, select the Our organization uses the default SharePoint Online admin center URL option; if your organization uses a custom SharePoint Online admin center URL in Microsoft 365, select the Our organization uses a custom SharePoint Online admin center URL option, and enter the admin center URL in the text box.

    *Note: If the Our organization uses multi-factor authentication checkbox is selected, you must manually enter the SharePoint Online admin center URL in the text box.

  8. Click Save to save your configurations.

Validation Test Troubleshooting

When the validation test fails, and you encounter one of the following error messages, refer to the solutions below for troubleshooting.

- Message 1: Your organization has set access policies that block the validation. Solution: Choose one of the following methods based on your scenario. - Delete or disable the access policies. - Edit the access policies to exclude the Microsoft 365 user set as the Service Account. ![Excluding a Microsoft 365 user from an access policy](/en/aos/appendices/images/image173.png "Excluding a Microsoft 365 user from an access policy") - Edit the access policies to exclude the reserved IP addresses of AvePoint Online Services. The reserved IP addresses can be downloaded in **Administration** > **Security** > **Reserved IP addresses**. ![Excluding reserved IP addresses of AvePoint Online Services from an access policy](/en/aos/appendices/images/image174.png "Excluding reserved IP addresses of AvePoint Online Services from an access policy") - Message 2: Check if this account has multi-factor authentication enabled or if you have entered an app password. Solution: If the account has multi-factor authentication enabled, choose one of the following methods based on your scenario. - In the **Enable MFA** field, select the **Our organization uses multi-factor authentication** checkbox. Enter the app password in the **Password** field. - If you do not want to select the **Our organization uses multi-factor authentication** checkbox, you need to disable multi-factor authentication for the Microsoft 365 user set as the Service Account. ![Disabling multi-factor authentication for a Microsoft 365 user](/en/aos/appendices/images/image175.png "Disabling multi-factor authentication for a Microsoft 365 user") If the account does not have multi-factor authentication enabled and you haven’t entered an app password, check if the login password of the account is correct. - Message 3: This account has multi-factor authentication enabled. Solution: Choose one of the following methods based on your scenario. - If this account has multi-factor authentication enabled on the **multi-factor authentication** interface, either select the **Our organization uses multi-factor authentication** checkbox in the **Enable MFA** field or disable multi-factor authentication for the Microsoft 365 user. - If your Microsoft 365 tenant has enabled multi-factor authentication in Microsoft Entra conditional access policies, refer to the solution for Message 1 to either exclude the Service Account from the access policies or exclude AvePoint Online Services reserved IP addresses from the access policies.