#SharePointProblems | Koskila.net

Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog

Fixing "Connect-SPOService : Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in." -error

koskila
Reading Time 4 min
Word Count 696 words
Comments 2 comments
Rating 5 (3 votes)
View

This post describes my super-simple fix to a weird error about "Identity Client Runtime Library (IDCRL)" failing with federated sign-in when running PowerShell scripts against SharePoint Online. One typical form of the error might be something along the lines of "Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in." coming up. This could happen for example, when Connect-SPOService is called, but it's probably not exclusively associated with that commandlet.

Symptoms

While running your PowerShell scripts using SharePoint Online Management Shell, and trying to log in using Connect-SPOService, you get an error.

Your cmdlets fail at connecting to SharePoint Online with the following (or similar) error message:

Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in.

Of course, you could get the error other times than using PowerShell as well - PnP Authentication Manager can probably throw it in your C# code, and for sure you could encounter some variants in the browser as well. Different solutions fix different forms of the error, so see below for your different options.


Background

What is IDCRL?

IDCRL is short for Identity Client Runtime Library, which is used, among other things, in SharePoint CSOM. SharePoint CSOM is, in turn, used in SharePoint Online Management Shell and PnP Management Shell.

What error gets thrown by SharePoint Online Management Shell when IDCRL encounters (and swallows) an exception?

Something like the below:

Connect-SPOService : Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in.

Or perhaps it'll look somewhat like this:
IDCRL error in PowerShell

How can I fix my IDCRL errors?

See below for a how-to!


Solutions

I've run into some stupid solutions, and some a bit less stupid ones. Judge for yourself - see below!

Time needed: 20 minutes.

How to fix "Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in."

  1. Check your username

    Despite what the error message says, the error is probably not that much about federation or any other fancy configuration issue. For me, at the very least, it was rather about the credentials supplied. Double-check them - there's a fair chance you've mistyped your credentials and are trying to log in to a realm that doesn't exist.

    In my case, I have made the classic mistake of writing my username as username@tenant.sharepoint.com more times than I can count. You should use username@tenant.onmicrosoft.com !

    Stupid, I know, but not obvious from the error message. And easy to mess up when just hastily copy-pasting or writing the username for the Nth time...

  2. Check whether you need to use MFA or not

    In the comments-section below, GregC brings up another possible situation where you'll run into this error, and it's not about federation either!

    If you try running Connect-SPOService, but you're passing the commandlet credentials which require MFA (Multi-Factor Authentication), you'll get this error.
    It's pretty unobvious, but in that case, you'll need to run the command without -Credentials -switch, in which case it'll prompt for web login and should work with any MFA configuration the tenant might have. In this case, it'll function in a similar fashion to Connect-PnPOnline -UseWebLogin.

    https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline?view=sharepoint-ps

    You can verify, whether you need to use MFA or not for these credentials by navigating to the site you're trying to authenticate against and just logging in with your credentials in a private browsing window.

  3. Verify your CSOM installation

    Using the correct username didn't fix your issue? Huh.
    Just for a handy reminder, this is the syntax of the cmdlet:

    Connect-SPOService [-Url] UrlCmdletPipeBind [[-Credential] CredentialCmdletPipeBind]
    (From http://technet.microsoft.com/en-us/library/fp161392.aspx)

    To be fair, your issue COULD be about missing DLL files, in which case you'll probably need to install either the SDK or SPO Management Shell again (you can get the SharePoint Online SDK here https://www.microsoft.com/en-us/download/details.aspx?id=42038, or the SPO Management Shell from here: https://www.microsoft.com/en-us/download/details.aspx?id=35588), but in my case, the issue has always been resolved by using the correct username. :)

    This blog post might also help you out:
    Getting Connect-MsolService (and other Azure Active Directory PowerShell cmdlets) to work


That's all for today. Let me know if it helped!

Comments

Interactive comments not implemented yet. Showing legacy comments migrated from WordPress.
GregC
2019-03-21 06:02:31)
Either that, or you actually can't connect with un/pw because MFA is required instead. In this case don't pass a Credential parameter to Connect-SPOService. https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps This was my case plus used a wrong password, so thanks for the tip! :)
2019-03-23 13:43:39
Hi GregC, Heh, there's so many situations where MFA has caused me issues as well. I've just never gotten this particular error - yet. :) I'll add your comment to the post as well - thanks for sharing!
Whitewater Magpie Ltd.
© 2025
Static Site Generation timestamp: 2025-09-09T15:56:19Z