Knowledgebase: You receive error ‘Unable to download’ when you try to install the AzureAD or MSOnline PowerShell Module

For many organizations, the reality is that their on-premises systems need to communicate to Microsoft cloud services. Whether it is for Azure AD Connect, Azure AD Connect Health, Azure AD Password Protection, or the Azure MFA NPS extension, you’ll need to install either or both the MSOnline or AzureAD PowerShell modules.

On Windows Server 2016-based installations, however, you may run into a problem quickly, when you just want to download and install the module.

 

The situation

You run a Windows Server 2016-based installation.

You want use the installation to communicate with Azure Active Directory programmatically. You want to:

  • Install the the MSOnline or AzureAD PowerShell module,
  • Run the configuration script for Azure AD Connect Health for AD FS
  • Run the configuration script for Azure AD Connect Health for AD DS,
  • Run the configuration script for Azure AD Password Protection, or
  • Run the configuration script for the Azure Multi-factor Authentication extension to Microsoft Network Policy Server (NPS).

Note:
All the above situations result in installing and registering the NuGet provider and installing either the MSOnline or AzureAD PowerShell module

You are prompted that PowerShell requires the NuGet provider version 2.8.5.201 or newer to interact with NuGet-based repositories. It asks you want PowerShellGet to install and import the NuGet provider.

You click ‘Yes’ or type Y.

 

The issue

You receive the below Windows PowerShell error:

WARNING: MSG:UnableToDownload «https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409» «»

WARNING: Unable to download the list of available providers. Check your internet connection.

WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ".

Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.

       

The cause

The error is caused by the way Windows PowerShell interacts with the NuGet infrastructure delivering both the NuGet Package Provider and the Windows PowerShell Module.

The entire infrastructure is secured with SSL/TLS. This prevents eavesdropping and meddle in the middle-type attacks, where a malicious person with inject rogue code into a plain-text communication stream.

Windows PowerShell does not communicate with the infrastructure using TLS 1.2, but with a less secure encryption protocol. As with many other infrastructure, the NuGet infrastructure has switched off less secure encryption protocols. The best current way on Windows Server 2016 to interact with the infrastructure is using TLS 1.2.

 

The solution

To download the NuGet Package Provider and the MSOnline or AzureAD PowerShell module, issue the following line of Windows PowerShell first:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

 

Then, repeat the line of Windows PowerShell to install the PowerShell module.

4 Responses to Knowledgebase: You receive error ‘Unable to download’ when you try to install the AzureAD or MSOnline PowerShell Module

  1.  

    Perhaps a better solution would be to configure .net on the server to support TLS 1.2+ here.

    • Hi Nick,

      Thank you for your comment.
      The changes that you recommend are actual recommendations I provided for Windows Server installations that run Azure AD Connect (in combination with these settings to actually remove TLS 1.0 and TLS 1.1). However, I have a couple of issues recommending the registry edits that Microsoft recommends in your linked Docs page for all systems communicating to the Azure infrastructure:

      • These changes require a restart.
      • These changes apply system wide, while sometimes only the outside infrastructure requires TLS 1.2 and the inside infrastructure does not. In the handshake this might lead to (slightly) more network traffic or negotiation errors when the inside webserver is not properly prepared for TLS 1.2 or up.
       
  2.  

    Hi Sander,

    This got me unstuck, thank you!

  3.  

    Works like magic… Thanks

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.