“Unable to discover PowerShell endpoint URI” when using MFA with Skype Online

Grrr. It’s been that kind of day.

While chasing a Teams bug (about which more another time, once I have a consistent repro case), I needed to log on to Skype Online PowerShell. We use the Azure baseline policy that forces MFA for all admin accounts in our tenant; I just updated Chapter 3 of the book to discuss this policy and how to enable it. Unfortunately, with all my MFA-enabled accounts, when I tried to log on, I got an annoying error: “Unable to discover PowerShell endpoint URI”.

This caused me to do some serious head-scratching. Then I realized the issue: I had historically loged in to the service PowerShell endpoints with a cloud-based account (using ourdomain.onmicrosoft.com) that didn’t have MFA enabled. However, since we applied the baseline policy, all our accounts have the policy applied, so I started using my regular admin account.

The issue arose from the fact that we have a hybrid Skype topology, and our Lyncdiscover DNS records point at our on-prem servers. The fix is to use a little-known switch to New-CsOnlineSession: OverrideAdminDomain. That switch, documented here, forces Skype Online PowerShell to use the specified domain instead of trying to use DNS.

This worked like a champ! I was then able to accomplish my investigative tasks, and that success made me (temporarily) forget about the parking ticket I got this morning and the malfunctioning smoke detector that woke me up before dawn.. thus converting the day, on balance, into a success.