Microsoft Authenticator app lock now enabled by default

Another Apple Watch user here who is experiencing issues.  Can't authorise any more on Apple Watch, have to return to phone.

Also getting two face scans in Authenticator app to authorise.  Not clever at all.

I was running the iOS Betas and presumed it was a beta issue for a while, but the watch thing appears to be a universal problem with app lock enabled once you are on iOS14/WatchOS7: https://social.technet.microsoft.com/Forums/en-US/e9538284-231b-495c-8e23-a75303924f72/apple-watch-a...

Thanks for the feedback about iOS14/WatchOS7. We're updating our devices and looking into the issue.

It appears that disabling App Lock is a bit trickier for new Authenticator enrollments. The last few enrollments I've assisted users with, the App Lock setting doesn't force until the second time the app is launched. So ensuring it's turned off right after the account is added is not enough, you must have the user open the app a second time before the App Lock can be disabled. Just a quick tip.

Can't turn it off unless you do it twice?   What a fiasco.  I haven't received the angry emails just yet but I am sure they are coming.   

Microsoft has been doing so much better, but 1 out of 10 decisions seem to be made by a group of people with no clue as to how end users think or behave.  This is one of them.

I am really angry that the app lock has been added a) without my consent and b) without notification.  The 2 step verification worked well but now Authenticator tells me to use Touch ID or enter passcode to unlock.  I do not use touch ID and I cannot enter my passcode as the screen seems frozen.  My company's IT department has spent an hour today - working remotely - to try to solve the problem and have suggested is I disable the app completely and re-install it but I cannot even do this.  I use a Mac OS Sierra 10.12 and an iPhone 12.4.8 and please need an urgent solution as I cannot work at all. 

Stella,

I had the same issue with several of our employees, and I had to shut the phone down completely, then power it up and told the employee to remove the security lock code before doing anything else, and then the could disable the app lock.  Once the app lock was disabled, I had the employee go back into the phone an re-enable the security pin.  I sent a note out to 800 employees on how to disable the lock on either the IOS or the Android phones.  Definitely a pain for our employees and the 4 tech support people who support them.  Good luck!

Hi Dave,

Yes, this has worked.  Thanks so much!  It has been a great help.  However, (I am writing this in the hope that Microsoft takes note) I strongly think that this should be an 'opt in' feature rather than an 'opt out' one. I work from home, my computer never leaves the house, and the chance of anyone accessing my accounts is extremely remote. thanks again for your help.

I wonder how the "App Lock on by default" will be handled in subsequent updates to the Authenticator app. Basically, if we have manually disabled after the initial force in the latest update, and then the app updates to a future version, will App Lock be forced on again? I know this is a hypothetical, but I'd like to be ready.

Hi Stella,

I'm glad I could help you with this issue.  Our IT support department agrees with your sentiments that this should have been an opt in only.  If "we" wanted to use it, then we could turn it on manually and not a forced on setting.  This caused us a lot of flack from our employees and we didn't need the added aggravation for no good reason.  Multi-factor authentication is a much needed service, but it also causes us a lot of aggravation when the app stops working and we must reset it from time to time.  So the added app lock is just one more layer.

My organization is experiencing same issue approvals from Apple Watch stopped working after enabling App Lock. I had previous MS support case opened on this issue prior to noticing the Watch Approval not working, to address another issue where phone was not getting notification push message while locked. That has been resolved, but no have this new issue with watch approvals not working. 

I will follow-up with support and send them the debug logs from the Authenticator app that also captured logs from Apple Watch. Hopefully this issue gets resolved soon because we are in the midst of a major push to roll out MFA. 

Thanks for all the feedback about Apple Watch. We are aware of this issue and we are working with Apple to get it fixed. 

Please see our FAQ (top question) for more information. https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq 

Is that FAQ's page you shared the best source to follow for an ETR? We too are in the middle of a big MFA push and looking for something consistent to present users with.

There was an update to the Authenticator for iOS yesterday (version 6.4.36), but still no Apple Watch fix. Any idea of when this issue with App Lock/Apple Watch will be fixed?

I have been using the authenticator for a couple of years with no issues. I use it infrequently but it is important when I do.  WHen I recently tried to use it and found it locked - I went to sign in and the pop up that came up said use Touch ID or passcode to sign in - however - there was no box to enter to passcode.  The only way to get there apparently is to use the Touch ID which I have never setup!  How do I get into my account to change my setup options?

Just saw a post that addressed the problem above and it worked!  Thanks to Dave and Stella - I agree that this should an öpt-in rather than an opt out.  Very inconvenient!

Is there a way to reset the PIN/method required to unlock the Authenticator? One of my client has the lock enabled but all "PINs"(including the phone PIN) he knows are not being accepted. How is the unlock password chosen? Does reinstalling the app reset it? What options does he have?

@Stella_Kenway 

I have same issue with one of my users, but on a different phone. I would also like a solution to this!

Iwashaya,

What type of phone is it, iPhone, Android? The pin that needs to be disabled is in the security section of the phone when you go into settings and it has nothing to do with the App lock app. Once you remove the pin code from the phone, then you can disable the app lock switch in the MFA settings. Unfortunately the app lock may re-enable itself because I noticed it popped up on my Samsung Galaxy S10 after a system updated recently. Luckily I noticed it right away and disabled it again.  I then tell employees to re-enable the pin code after configuring their MFA app as is our policy.  Good luck!

This became enabled by default after the latest update to my phone.  Others have already talked about whether or not that's a good idea.

The issue I have is perhaps a little more subtle, but affects the user experience.  The app says it wants "my PIN" to launch it, but this is confusing to users.  Which PIN?  I have several PINs, though I've never set one in the Microsoft Authenticator app itself.

Perhaps it is obvious to YOU that this means "the PIN used to unlock your phone," but not everyone uses a PIN for that.  Some people draw a pattern.  I think the verbage for this needs to be clarified, especially since, by definition, guessing wrong will get the user locked out of even more things, possibly making it impossible to request help (if the user is now locked out of Office365 and can't get to e-mail).

@ddornberg 

Thanks for your response. One user has a Huawei another sumsung(different). I tried with the Huawei User and it will not allow him to disable the PIN. On my LG I aslo tried and it is not accepting. Maybe we are going about this the wrong way. Thanks again for your assistance

@JMcNutt 

Thanks for your response.

On my Iphone it allows me to user either fingerprint or PIN. And yes it is the one for the phone. It uses the phone lock to lock the app. I did not have to put a different one. I would like to disable it for now just so I can know how to do it for my users

Microsoft Team,   Is there a possibility to have an app configuration policy that will allow me to force it on or off in Intune?    The loop issue has become more prevalent with my users and is a bit of a frustration that it was forced on without consent.   

Apple Watch is still broken. It was working with AppLock at some point, but was broken a few months ago.

Hello, we are aware of the Apple Watch issue, and we're still working with Apple on fixing the issue. Thanks.

Hello, Is there a way to disable this feature as it's an adding an extra step before notification approval?

@Nikonline Yes you can disable APP LOCK. Open Authenticator app, tap settings, locate app lock tap slider to disable you may be required to input device passcode to turnoff. 

Every week or so I hear complaints about this feature, and how much better Duo is from an experience perspective.

Nobody has yet to explain why such a feature is needed en mass.   Was phone theft while you use the bathroom really that big of an issue?  Especially with COVID. 

This is a terrible user experience and should be opt-in, not opt-out.  I am unable to enter the app lock password when using MFA with the Cisco AnyConnect VPN client before the request times out, and when I try to disable this feature on my phone, it crashes the settings app while trying to uncheck the box every time.  I have been forced to switch MFA options and must now manually type in aunticator codes as a result of this "feature". 

Good job microsoft, way to make work just a little bit more miserable.

I need to add my work account on Authenticator on Android device A31?

edited.

I know I'll be spending some time helping others unlocking this. Unnecessary for me, my phone is set to auto-lock within 45 seconds, and I press the lock switch when done using my phone anyway.

Today is the first time I've seen this, took an additional 30 minutes just to login to Outlook, didn't get the normal response from my phone, didn't know why. Had to request approval a few times before I saw what was happening. Thank you Google!

If employees ask me what to do, I will advise them to disable auto-lock in Settings. Just seems like more time wasting, unless you're an IT dept. head, or regularly access sensitive data.

Thank you for making the "kill switch" (disable auto-lock) easy to access! I'm seriously surprised that feature wasn't grayed out.

Because the App Lock is turned on, if you use the MFA approve button, you will have only 12 seconds to approve.  There is no way to extend the time of 12 seconds either, so we have started telling our employees to switch to the token (text), which gives you 45sec - 1 minute to enter and thereby is a much more reliable way to use MFA.  If the App Lock is engaged, 12 seconds is just too brief a time in order for someone to see the approve button appear on their phone much less click it.  I tell people that if you are still using the Approve button, then you must have the MFA app open before you need it, otherwise you will miss the pop up and you will get caught in the looping MFA popup until you call the HelpDesk.  This whole security "enhancement" has been a pain for us too.  I am still having all employees disable the app lock in MFA too.

Does not work on a Galaxy Android Tablet

I have had Microsoft Authenticator installed on my Poco F1 for a while.  It requires a finger biometric to unlock.  No problem.

I recently installed it on my Galaxy Tab A7 and it is asking for a Pin to unlock even after I disabled the feature in Settings.  I never set up a pin and will not change by Poco F1 to a pin.

How do I unlock Authenticator on my Galaxy Tab A7?

Going back to your comment made by:

@Olena Huang Any update on the ability for admins to prevent users from turning app lock off?

Great this is now the default setting. Any pointers on how to enforce this from MAM / Azure would be very much appreciated as there does not seem to be a clear setting for it.

We would like to prevent our users from disabling this security feature.

Still no App Protection / MAM Policies to enforce App Lock? 

Although this seemed brilliant additional security, Microsoft is using it to disable certain devices from being able to have the authentication on it. 

SAD!

T

When this feature is enabled, user cannot disable the app lock.  In a recent case, user had a Android Redmi phone on with MS Authenticator Application version - 6.2307.4942 and was unable to approve request when prompted to enter the pin.  After reviewing the Authenticator Logs, I noticed it was showing: DENIED, message: Authentication request denied. Screen lock/biometric invalid or missing. 

I had the user disable the lock screen pin and the user was able to finish registration.  Shouldn't the user be able to disable app lock in the MS Authenticator app without having to disable the screen lock pin?

This seems to be a topic of discussion: Microsoft Authenticator App says Denied when I Approve the authentication request - Microsoft Q&A