#SharePointProblems | Koskila.net
Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog

How to fix "The website does not support SharePoint Online credentials. The response status code is 'Unauthorized'"

koskila
Reading Time 7 min
Word Count 1221 words
Comments 33 comments
Rating 4.2 (5 votes)
#authentication #powershell #sharepoint #sharepoint-online
View
Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Whilst running some SharePoint Online PowerShell commandlets, or connecting to a SharePoint Online site from your app, you get the following (or similar) error about your SharePoint Online credentials being unauthorized for something you should definitely be authorized to do:

Cannot contact web site 'https://[tenant]-admin.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.

And that's not all - by digging into the full error message, you find the underlying internal error:

MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.

What awakens my curiosity, is this line:

Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.

However, when you open your browser, you can actually log in without a hitch. If that's the case, this might be a weird internal error in SharePoint Online. Nothing you can do permissions/configuration-wise, but luckily - there's a hazy and weird, but simple PowerShell-based fix!

Description of the issue

The whole error might be something like this:

Cannot contact web site 'https://[tenant]-admin.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'. The response headers are 'X-SharePointHealthScore=0, X-MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically., SPRequestGuid=, request-id=, MS-CV=[i_don't-even-know], Strict-Transport-Security=max-age=31536000, X-FRAME-OPTIONS=SAMEORIGIN, SPRequestDuration=64, SPIisLatency=1, MicrosoftSharePointTeamServices=, X-Content-Type-Options=nosniff, X-MS-InvokeApp=1; RequireReadOnly, ...  .

Out of these values, most of the headers are well-known - basic stuff. What's piquing my interest is this one:

X-MSDAVEXT_Error=917656

That is a WebDAV (Web Distributed Authoring and Versioning) protocol returning an error for your request. While the error code isn't (to my knowledge) officially documented anywhere, it's commonly recognized to be a permissions-related issue. And obviously, the error text describes that as well.

This might be a symptom of a weird, internal authentication issue in SharePoint Online, caused by someone tripping on a wire in Microsoft's nearest data center. Or it might actually come from Azure AD in the background. It's either one of those two, or something else :)

What's important, is how to fix it. And that's described below!

Solution

Running a couple of magic PowerShell spells (or commandlets, if you wish) might start a weird, internal background process, that will eventually enable the login for your SharePoint Online credentials. To be fair, I don't even know 100% what these 2 switches do. Below, I'm offering my best guesses, on why this works like this. Proceed with caution and at your risk.

Time needed: 12 hours.

How to fix "The website does not support SharePoint Online credentials. The response status code is 'Unauthorized'" or "MSDAVEXT_Error=917656"?

  1. Fire up your PowerShell console

    If you have SharePoint Online Management Shell, feel free to use that. If not, just use PowerShell instead.

  2. Verify you're using the latest module versions

    Before doing anything more drastic, it's worth verifying you have the latest versions of the necessary PowerShell modules available, as Maciej brings up in the comments section.

    If you're using an outdated version of PowerShell commandlets, it's quite possible that a simple module update will resolve your issue. So, before flipping any of the more exotic PowerShell switches, run the commands below and see if they help:

    # Uninstall your current versions of SharePoint PnP Powershell Online and install the latest Uninstall-Module SharePointPnPPowerShellOnline Install-Module SharePointPnPPowerShellOnline # Uninstall your current version of SharePoint Online Management module and install the latest Uninstall-Module Microsoft.Online.SharePoint.PowerShell Install-Module Microsoft.Online.SharePoint.PowerShell

    Then try to log in again. If that didn't help, proceed!

  3. Flip 'em switches!

    Next, run these commandlets (if you want to be careful, first-run Get-SPOTenant with switches to see the values before the changes - and check with the environment's IT and/or security team if they are other than defaults):

    Connect-SPOService Set-SPOTenant -LegacyAuthProtocolsEnabled $True Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $False
    (see below for documentation of the switches)

    It's a bit weird, but seems to do the trick! It might take a moment for the changes to be propagated to all systems - or, like I suspect, the background job that gets started by "updating" these values (even if you just save them with their default values) to do whatever it does.
    On the two occasions that I have had to do it, it took overnight for the authentication to then start to work. I've heard from others, that for them it's been updated in 30 minutes. The bottom line seems to be not to fret until some 12 hours after the change has been made.

What's "Set-SPOTenant -LegacyAuthProtocolsEnabled" or "-RequireAcceptingAccountMatchInvitedAccount" supposed to do?

Admittedly, the documentation for these 2 switches hasn't been that good. Below, you can see the documentation as it was in early 2018 - community contributors (myself included) have improved it since, though!

Microsoft's official explanation of what "LegacyAuthProtocolsEnabled" switch does

Figure 1: Microsoft's official explanation of what "LegacyAuthProtocolsEnabled" switch does :) Not very thorough and detailed!

In short, Set-SPOTenant is used to set different properties on your tenant. These properties might be feature flags, authentication methods, integrations, or other configurations. Or, like in our case, fine-tuning how authentication works.

The following list offers possible explanations why these switches might help:

LegacyAuthProtocolsEnabled

  • This is $True by default, (see "more info" for links to Microsoft's documentation) since otherwise a lot of apps (probably all but those using Modern authentication flow) will fail in the authentication.
  • Figure 1 shows Microsoft's documentation for this switch before community contributions (such as mine) to the documentation.
  • Note also this: "[Setting this to $False] may also prevent third-party apps from accessing SharePoint Online resources. Also, this will also block apps using the SharePointOnlineCredentials class to access SharePoint Online resources. For additional information about SharePointOnlineCredentials, see SharePointOnlineCredentials class."
  • If you can modify the code or script that causes this error, you can also migrate away from using legacy authentication - and use Managed Identities or Web Login (for example) instead! And if your customer requires this switch to be $False, the code changes are going to be your only way forward.

RequireAcceptingAccountMatchInvitedAccount

  • This should be $False by default - but setting this property might, just like with the other one, cause some weird background service to start, and eventually fix the issue.

  • Verify your current setting first by running Get-SPOTenant -RequireAcceptingAccountMatchInvitedAccount

  • This is for external accounts, and shouldn't matter if you have a *.onmicrosoft.com account, or even a federated domain account. It should work pretty much in any case.

  • Microsoft's explanation:

    • Ensures that an external user can only accept an external sharing invitation with an account matching the invited email address.
    • Administrators who desire increased control over external collaborators should consider enabling this feature.
    • Note, that this only applies to new external users accepting new sharing invitations. Also, the resource owner must share with an organizational or Microsoft account, or the external user will be unable to access the resource.

  • The valid values are:

    • False (default) - When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.
    • True - The user must accept this invitation with bob@contoso.com.

Since running these commands will change the authentication behavior of the tenant, please don't run them without running the changes by the customer's IT. And most importantly, don't say that I didn't warn you!

Anyway, I hope it helps, even if you're just setting the already existing values again. It did resolve the issue for us.

References

Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Related Posts

Another fix to the "Connect-PnPOnline : The sign-in name or password does not match one in the Microsoft account system." error.

6y agoby koskila
#powershell#sharepoint#sharepoint-online

5 ways to enable Custom Scripts for a SharePoint site collection

7y agoby koskila
#on-premises#pnppowershell#powershell...

Don't remove the root web of your classic SharePoint Site Collection!

7y agoby koskila
#powershell#sharepoint#sharepoint-2013...

Comments

Interactive comments not implemented yet. Showing legacy comments migrated from WordPress.
SM
2018-04-18 13:18:12)
Awesome article!!! and it works for me!!!! and, yes it takes 24 hours after setting "True"
Antti K. Koskela
2018-04-18 18:09:25
Hi SM, Awesome, happy to hear that! It is a really weird fix, and I don't know what kind of scheduled job it's kickstarting (and hence the delay)... But at least it solves the issue :) Let me know if you encounter any side effects though! Would love to document them, too.
Sharepoint
2018-05-08 14:18:56)
That GIF OMG!
Antti K. Koskela
2018-05-08 16:47:26
Happy to hear you... Umm... Like it? :D
Maciej
2019-05-10 06:17:38)
Hi. This page still pop up in Google results. So if you have this error, as a first action update your PnP modele to the newest version. It resolved the case for me. I had issue with version 2.26.1805.0 PnP and after update to PnP 3.8.1904.0 error is gone. Uninstall-Module SharePointPnPPowerShellOnline Install-Module SharePointPnPPowerShellOnline
Antti K. Koskela
2019-05-12 03:33:03
Hi Maciej, Curious! I haven't ran into this ever before, and I've been using PnP cmdlets for quite a while, including versions older than 2.26.1805.0. Not saying it's impossible, just haven't seen it happen! The way I first encountered this was probably with Connect-SPOService, but since the underlying authentication scheme is (by default) mostly the same between SPO cmdlets and PnP cmdlets, the same error can be thrown for Connect-PnPOnline. Good to have it documented, though - so thanks a lot for sharing!
Prabha
2019-06-10 05:34:16)
Hi I'm using an app to read customer's SharePoint file details after going through a OAuth authorization process for some monitoring. I'm using the SharePoint RestAPI call getFileById (with the Bearer Token). The app permissions for SharePoint have been set to Sites.Read.All. When I try to do getFileById, I get the above error which you have mentioned. But when I change the app permission to Sites.FullControl.All (and reauthorize), it works like a charm. My question is - since I'm doing a read operation, why do I get this error if I set the app permission to Sites.Read.All? I cannot take a FullControl permission, it has to be Read only. Can you help? Thank you.
Antti K. Koskela
2019-06-14 12:11:35
Hi Prabha, Thanks for your question and comment! I'm surprised you get this error with missing permission scopes - those usually just throw more generic unauthorized errors, nothing about not supporting SharePoint Online credentials... So that's definitely interesting to hear! When it comes to getting around those issues, I feel your pain. The permission scopes are sometimes really unintuitive. With a lot of APIs, there might be Read and ReadBasic (or similar) permissions available. I don't think that's the case for SharePoint Sites, though... What are the APIs you're calling? If you're calling APIs that're used for auditing or similar "admin" use cases, they might require high permissions by default.
Prachi
2019-07-08 06:08:35)
Hello, I am trying to download an excel file from SharePoint online using a c# script task in ssis. When I am using the SharepointOnlineCredentials and hard coding the username and password it is working fine for me. But when I try CacheCredentials.DefaultCredentials I am getting the error: The remote server returned an error: (403) Forbidden. and after digging into it the following error as well: X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically. Could you help me with this? Will the above solution solve this issue? Thank you.
Antti K. Koskela
2019-07-09 17:53:55
Hi Prachi, Does the account in DefaultCredentials match the one you're using when testing with hard-coding the credentials? Can you verify that the credential returned from the cache is indeed the correct one instead of some service identity or similar?
Jenny Ward
2019-08-02 09:07:54)
Good morning, and thank you for this helpful information! I have a client for whom we are getting this error, resulting in a data warehouse sync not working; LegacyAuthProtocolsEnabled IS set to False on their system; The problem only arose 3 days ago, which makes us believe they changed this from the default True to False, which they say did not occur, but I don't know how to check that (or advise them to). Can you advise if there's a way to determine when this setting was changed? It would go a long way to convince the client to set it back to True. Thank you!
Antti K. Koskela
2019-08-03 01:58:18
Hi Jenny, You bring up an interesting issue, as I don't think operations like Set-SPOTenant are logged anywhere, where an admin could access the info. I'd like to say, that Microsoft has the info for sure - but after some quick googling, I'm actually not certain (see for example the link below). https://sharepoint.uservoice.com/forums/330318-sharepoint-administration/suggestions/32919361-log-sharepoint-online-admin-changes The changes are likely in the database's log files, but it's unrealistic to think Microsoft would go digging for the info even if we asked nicely. You could always propose to the customer that you change the setting to see if it helps, and if it does, it's up to them to decide if they want to keep the working configuration or rather change the setting back and then think about the next steps. :/
Sudhir Sharma
2020-02-06 15:39:07)
Thank you for this information, after making required switch flips it took approximately 30 minutes … for me to continue restore successfully all the deleted items.
Antti K. Koskela
2020-02-10 22:59:40
Thanks for your comment! The time required for the setting to take seems to vary greatly... I've had it take overnight. Happy to hear it helped you though!
Guillermo Garcia
2020-02-19 17:27:09)
The best article read it!!! Really worked for me!!!! Less that 24 hours after setting coming “True” Thanks so much...
Antti K. Koskela
2020-02-19 22:51:09
Happy to hear it helped!
Wade
2020-05-14 08:51:41)
Hello, I want to use python to upload the file to my Sharepoint. I got the same error 'X-MSDAVEXT_Error': '917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.' I want to solve this problem but I don't know how to do. Here is my code: import requests from shareplum import Office365 from config_s import config_s # get data from configuration username = config_s['sp_user'] password = config_s['sp_password'] site_name = config_s['sp_site_name'] base_path = config_s['sp_base_path'] doc_library = config_s['sp_doc_library'] file_name = "test.csv" # Obtain auth cookie authcookie = Office365(base_path, username=username, password=password).GetCookies() session = requests.Session() session.cookies = authcookie session.headers.update({'user-agent': 'python_bite/v1'}) session.headers.update({'accept': 'application/json;odata=verbose'}) # dirty workaround.... I'm getting the X-RequestDigest from the first failed call session.headers.update({'X-RequestDigest': 'FormDigestValue'}) response = session.post( url=base_path + "/sites/" + site_name + "/_api/web/GetFolderByServerRelativeUrl('" + doc_library + "')/Files/add(url='a.txt',overwrite=true)", data="") session.headers.update({'X-RequestDigest': response.headers['X-RequestDigest']}) # perform the actual upload with open( r'/Path/test.csv', 'rb+') as file_input: try: response = session.post( url=base_path + "/sites/" + site_name + "/_api/web/GetFolderByServerRelativeUrl('" + doc_library + "')/Files/add(url='" + file_name + "',overwrite=true)", data=file_input) print(response) print(response.headers) except Exception as err: print("Some error occurred: " + str(err)) print('end...') Thx you sincerely if you can help me!
Antti K. Koskela
2020-05-22 22:54:31
Hi Wade! What have you tried so far?
Emiel
2020-06-22 12:25:21)
Hi I'm trying the connect from postman to get file content from a sharepoint site. 
https://xxx.sharepoint.com/sites/teamsitename/_api/web/GetFolderByServerRelativeUrl('sales')/Files('order.e01')/$value
Azure AD App registration: done Api Permissions: done First I'll get an accestoken trough accounts.accesscontrol.com. I use that auth token as bearer in the above GET method And I still getting the "AX-MSDAVEXT_Error’: ‘917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.’ LegacyAuthProtocolsEnabled        : True RequireAcceptingAccountMatchInvitedAccount : False Added as trusted sites trough internet explorer I'm out of ideas...
Antti K. Koskela
2020-07-01 00:23:28
Hi Emiel, Apologies for the slow response! For whatever reason, your comment triggered the spam filter so I didn't see it right away... Anyway, are you able to connect to the site using PnP PowerShell's Connect-PnpOnline cmdlet? Just trying to narrow the situation down a bit!
mike libera
2020-09-17 11:16:23)
Hi Antti! I am struggling to resolve this error. My use case is that I need to read from another company's Sharepoint which is on the O365 cloud. I have full permission to read the site but I cannot even get the /_api/contextinfo call to work to obtain a token. Do you have any idea about how could I resolve it?
Antti K. Koskela
2020-09-21 15:03:56
Hi Mike, Do you have enough permissions to check the status of LegacyAuthProtocolsEnabled and RequireAcceptingAccountMatchInvitedAccount switches running Get-SPOTenant (https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/get-spotenant?view=sharepoint-ps) ?
← Back to home