Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure MFA application password

Copper Contributor

Hello!

 

I have a question regarding App Passwords in Multi-Factor Authentication (on Azure):

I've been testing Azure MFA using domain password and SMS as a second factor for authentication and noticed that I have to use the App Password as well (example: Outlook for desktop) which as far as I can see is impossible to bypass if using Azure MFA solution.

The problem is that App password is system-generated and user can never see it again (i get the concept and security of the system-generated password), which is not a problem for me who is familiar with using such a solution, but I've found it very confusing for users inside the company.

 

I found the article which was created on February 14, 2018:

https://answers.microsoft.com/en-us/msoffice/forum/all/turning-off-app-passwords-in-multi-factor/2d2...

Are there any news regarding this solution?

 

So my questions are:

1. What is the experience (from the management perspective) with roll out to the end users, and what was the user experience? So far I think it will be almost impossible to explain to the end users how App passwords work and how they will type that password to their smart phones etc.

2. Is there any other option instead of App passwords which is supported by Azure?

3. Is it possible to turn it off? (kind of kills the concept of MFA, but just wondering)

4. I suppose that it is impossible to turn App passwords off, but would be nice if anyone has some advice of providing better user experience even with using App passwords? 

 

 

Thanks!

2 Replies

@mbocak You should be able to use modern authentication and do away with the need to use app passwords completely: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-mo...

 

You can also run some Powershell commands to disable basic authentication protocols in Exchange Online: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

@Andrew Swinn Thank you for your reply!

 

I will take a look and try it out!

 

Cheers!