KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement

KnowledgeBase

Multi-factor authentication is the current solution to the problem of inadequate information security in today’s world of user names and passwords. When you have enabled multi-factor authentication in Microsoft Azure and Office 365, you might need app passwords to allow for certain access to not disrupt the business.

 

The situation

As an organization, you use Microsoft Azure Active Directory (Azure AD). Your colleagues access data and functionality through Azure AD-integrated applications, services and systems. Your organization uses the default settings in Azure AD.

You have enabled multi-factor authentication through either:

  1. Security Defaults
  2. Conditional Access

A colleague needs to access functionality and/or data through an outdated application or needs a service to communicate with your data using a privileged account in a situation that requires multi-factor authentication by your information security policies.
(in the latter case, as an Azure AD admin you create and optionally synchronize an account with least privileges as the service account)

The colleague cannot log in using modern authentication, is not prompted for multi-factor authentication, and as a result, is unable to gain access to the functionality or data.

You do not want to make an exception to the policies, so you allow the colleague to use one or more app passwords.

You instruct the user to create an app password. He or she performs the following steps:

  • He or she opens a web browser on her system and navigates to https://myaccount.microsoft.com/security-info.
  • He or she signs in using the credentials for the account.
  • He or she performs multi-factor authentication to gain access to multi-factor authentication management mode as part of the MyProfile / MyAccount experience.
  • He or she clicks on the UPDATE INFO > link on the Security info tile.
    The link leads to the Security info page.
  • He or she presses the + Add method button.
    The Add a method modal screen appears.
  • He or she opens the drop-down list of available methods.

 

The issue

The drop-down list for Add a method doesn’t offer to create an App password.

The drop-down list for 'Add a method' doesn't offer to add an App password (click for original screenshot)

 

The cause

The colleague cannot create an App password, because multi-factor authentication is required through Conditional Access or Security Defaults

 

The solution

To be able to create an App password, the account needs to be configured with the per-account multi-factor authentication requirement.

Note:
For accounts that are used as daily accounts for colleagues, configuring per-account multi-factor authentication results in a painful experience, as these settings override Conditional Access policies and Security Defaults and require multi-factor authentication for every sign-in with the account, unless remember multi-factor authentication is enabled. For these purposes, another solution is recommended; either create a separate service account or migrate to an app(lication) that the user can use with modern authentication.

Follow the below steps to enable per-user multi-factor authentication for an account:

  • Open a browser and navigate to the Azure AD Portal.
  • Sign in with an account that has the Global administrator or Privileged Authentication administrator role assigned.
  • In the left navigation pane, click Azure Active Directory.
  • In Azure Active Directory’s navigation pane, click on Security.
  • In the Security navigation pane, click on MFA.
  • In the Multi-Factor Authentication | Getting started main pane click the Additional cloud-based MFA settings link.
    A new browser tab or window opens with the multi-factor authentication page.
    On the Service settings tab you should see that the option to Allow users to create app passwords to sign in to non-browser apps is enabled by default.
  • Click the Users tab.
    On the Users tab, you should see a list of user objects within the Azure AD tenant.
  • Search the user object, or select it from the list of users.
  • In the area to the right of the users list, you should see the following links for the user object:
    1. Enable
    2. Manage user settings
  • Click the Enable link.
  • In the About enabling multi-factor auth modal window, click the enable multi-factor auth button.
  • In the Updates successful modal screen, click the close button.
  • The value in the MULTI_FACTOR AUTH STATUS column for the user object should now show Enabled.
  • In the area to the right of the users list, a new link appears: Enforce.
  • Click Enforce.
  • In the About non-browser applications modal, click the enforce multi-factor auth button.
  • In the Updates successful modal screen, click the close button.
    The value in the MULTI_FACTOR AUTH STATUS column for the
    user object should now show Enforced.
  • Sign out and ask the colleague to try and create an App password again.

After a few minutes, the colleague should be able to create an App password in multi-factor authentication management mode as part of the MyProfile / MyAccount experience.

The drop-down list for 'Add a method' now offers to add an App password (click for original screenshot)

Note:
After the app password is set, the per-account multi-factor authentication requirement can be removed by clicking the Disable link in the are to the right of the users list in the multi-factor authentication portal.

 

Concluding

Fumbling around in legacy portals to change legacy settings for legacy applications is quite the experience. I hope the whole ordeal left you with the bittersweet aftertaste of ‘Let’s not do this again’.

One Response to KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement

  1.  

    Thanks Sander – This might have helped us!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.