KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement

KnowledgeBase

Multi-factor authentication is the current solution to the problem of inadequate information security in today’s world of user names and passwords. When you have enabled multi-factor authentication in Microsoft Azure and Office 365, you might need app passwords to allow for certain access to not disrupt the business.

 

The situation

As an organization, you use Microsoft Azure Active Directory (Azure AD). Your colleagues access data and functionality through Azure AD-integrated applications, services and systems. Your organization uses the default settings in Azure AD.

You have enabled multi-factor authentication through either:

  1. Security Defaults
  2. Conditional Access

A colleague needs to access functionality and/or data through an outdated application or needs a service to communicate with your data using a privileged account in a situation that requires multi-factor authentication by your information security policies.
(in the latter case, as an Azure AD admin you create and optionally synchronize an account with least privileges as the service account)

The colleague cannot log in using modern authentication, is not prompted for multi-factor authentication, and as a result, is unable to gain access to the functionality or data.

You do not want to make an exception to the policies, so you allow the colleague to use one or more app passwords.

You instruct the user to create an app password. He or she performs the following steps:

  • He or she opens a web browser on her system and navigates to https://myaccount.microsoft.com/security-info.
  • He or she signs in using the credentials for the account.
  • He or she performs multi-factor authentication to gain access to multi-factor authentication management mode as part of the MyProfile / MyAccount experience.
  • He or she clicks on the UPDATE INFO > link on the Security info tile.
    The link leads to the Security info page.
  • He or she presses the + Add method button.
    The Add a method modal screen appears.
  • He or she opens the drop-down list of available methods.

 

The issue

The drop-down list for Add a method doesn’t offer to create an App password.

The drop-down list for 'Add a method' doesn't offer to add an App password (click for original screenshot)

 

The cause

The colleague cannot create an App password, because multi-factor authentication is required through Conditional Access or Security Defaults

 

The solution

To be able to create an App password, the account needs to be configured with the per-account multi-factor authentication requirement.

Note:
For accounts that are used as daily accounts for colleagues, configuring per-account multi-factor authentication results in a painful experience, as these settings override Conditional Access policies and Security Defaults and require multi-factor authentication for every sign-in with the account, unless remember multi-factor authentication is enabled. For these purposes, another solution is recommended; either create a separate service account or migrate to an app(lication) that the user can use with modern authentication.

Follow the below steps to enable per-user multi-factor authentication for an account:

  • Open a browser and navigate to the Azure AD Portal.
  • Sign in with an account that has the Global administrator or Privileged Authentication administrator role assigned.
  • In the left navigation pane, click Azure Active Directory.
  • In Azure Active Directory’s navigation pane, click on Security.
  • In the Security navigation pane, click on MFA.
  • In the Multi-Factor Authentication | Getting started main pane click the Additional cloud-based MFA settings link.
    A new browser tab or window opens with the multi-factor authentication page.
    On the Service settings tab you should see that the option to Allow users to create app passwords to sign in to non-browser apps is enabled by default.
  • Click the Users tab.
    On the Users tab, you should see a list of user objects within the Azure AD tenant.
  • Search the user object, or select it from the list of users.
  • In the area to the right of the users list, you should see the following links for the user object:
    1. Enable
    2. Manage user settings
  • Click the Enable link.
  • In the About enabling multi-factor auth modal window, click the enable multi-factor auth button.
  • In the Updates successful modal screen, click the close button.
  • The value in the MULTI_FACTOR AUTH STATUS column for the user object should now show Enabled.
  • In the area to the right of the users list, a new link appears: Enforce.
  • Click Enforce.
  • In the About non-browser applications modal, click the enforce multi-factor auth button.
  • In the Updates successful modal screen, click the close button.
    The value in the MULTI_FACTOR AUTH STATUS column for the
    user object should now show Enforced.
  • Sign out and ask the colleague to try and create an App password again.

After a few minutes, the colleague should be able to create an App password in multi-factor authentication management mode as part of the MyProfile / MyAccount experience.

The drop-down list for 'Add a method' now offers to add an App password (click for original screenshot)

Note:
After the app password is set, the per-account multi-factor authentication requirement can be removed by clicking the Disable link in the are to the right of the users list in the multi-factor authentication portal.

 

Concluding

Fumbling around in legacy portals to change legacy settings for legacy applications is quite the experience. I hope the whole ordeal left you with the bittersweet aftertaste of ‘Let’s not do this again’.

16 Responses to KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement

  1.  

    Thanks Sander – This might have helped us!

  2.  

    great!

  3.  

    This has just saved my skin and my sanity – thank you so much!

  4.  

    Thanks for the article. How does this affect all the other users? Are they still under the "security defaults" for MFA? I did not realize you could mix and match. I thought when you turned on security defaults the old conditional MFA settings had to be disabled.

    • Hi Mike,

      Indeed, Security Defaults and Conditional Access are mutually exclusive.
      The settings in the legacy PhoneFactor portal, however, can be used in conjunction with both.

       
  5.  

    Thanks for the article.

    I followed the steps above with a new tenant that had security defaults enabled by default. I'm still unable to use the app password. I'm seeing authentication errors e.g. using send-message using powershell to relay through M365 I receive 5.7.57 Client not authenticated to send mail.

    Could this be somehow related to legacy auth being disabled across the org with security defaults?

    In Microsoft's article on security defaults, it mentions that 'App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators'. It lists this under 'Conditional Access' not security defaults.

    Thoughts?

  6.  

    I want this to work. And it seems like it should. With security defaults enabled *AND* MFA enforced on a user, I get the ability to create an App Password. However, it just doesn't seem to auth for IMAP/SMTP in Mail.app or Thunderbird. Maybe I need to wait an hour for something to propagate?

    • With Security Defaults on, IMAP, POP and SMTP AUTH are disabled.

       
  7.  

    Hi Sander,

    In my tenant I have a Conditional Access policy for MFA that include one group with some users.
    So now I have to enable App passwords for some of these users. Can I enbale app passwords even they are already in that group? Thanks.

    • Yes, you can.

      As long as the legacy PhoneFactor portal is available, you can set the status for the users that require an app password to 'enable' (per user). As long as the setting in the legacy portal allows creating app passwords too, they can create app passwords.

       
  8.  

    Hi Sander,

    I have an AD tenant that is configured to use a Conditional Access policy at a group level.

    Now, I need to enable app password for some users that are already in a group that uses Conditional Access. Is that possible without modifying the CA policy? Thanks.

    • Yes, you can.

      As long as the legacy PhoneFactor portal is available, you can set the status for the users that require an app password to 'enable' (per user). As long as the setting in the legacy portal allows creating app passwords too, they can create app passwords.

      As app passwords satisfy the MFA requirement, you don't have to modify the CA policy to make exceptions.

       
  9.  

    Hi Sander,

    thanks for the quick answer, i appreciate it !
    What do you mean when you talk about the PhoneFactor portal ? Is that another portal ? Or is the portal where i can set the app password ? Thank you and have a good day.

    • Hi John,

      My apologies for the confusion.

      The PhoneFactor portal is the website you access when you click the Additional cloud-based MFA settings link, after you've navigated to Azure Active Directory, Security and then MFA in the Azure Portal.

      This portal has been around since the early days of Azure MFA Server (Microsoft's product based on the PhoneFactor technology, acquired in 2012). It looks and feels legacy when compared to the Azure portal, hence my name for it.

       
  10.  

    Hi Sander,

    Thanks, I got it!

    Great website, keep it going 😉

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.