Mar 11 2020 07:57 AM
Mar 11 2020 07:57 AM
Is it possible to apply Microsoft Authenticator passwordless Sign-In MFA to Office/Microsoft 365's native desktop apps (latest versions) so that the user gets prompted with push MFA validation via Microsoft Authenticator on their mobile device, the same as they would using the Office 365 web apps?
Assume the applications are being launched from an fully native Azure AD integrated user account on a Windows 10 Business OS platform.
Mar 11 2020 09:08 AM
Hi, yes, this should work the same way it does with web apps, all the common Microsoft desktop apps, since around Office 2013 (and mobile ones) understand modern authentication, so when MFA is required when adding your work or school account, MFA will be enforced natively (no need for app passwords). This link goes through registration and overall experience (step 4 and 5 particularly):
How MFA is enforced will vary depending on the licencing, this table has lots more info - Available versions of Azure Multi-Factor Authentication.
With Conditional Access, you get the most control, which is part of Azure AD Premium and comes with Enterprise Mobility + Security, Microsoft 365 Business or Enterprise. Otherwise, for the relevant Office 365 subscriptions (details in the above link), it works as so:
"Azure Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. Management is through the Office 365 portal."
Mar 11 2020 03:46 PM
Hmmmm, that was what I suspected but I am still prompted to use App Passwords with my Office desktop apps (running Office 365 desktop apps; all patched to the latest version), with my Microsoft 365 account.
I have Microsoft Authenticator Passwordless Signin working perfectly when logging into portal.office.com and using Office mobile apps (Mac and Android), but for some reason it's not working with Office dekstop apps on my Windows 10 Business client, even under my Azure AD integrated profile.
My license is Microsoft 365, but perhaps the issue may be that I'm not on Microsoft 365 E3/E5? How would I check this?
Mar 12 2020 07:36 AMSolution
Mar 14 2020 09:23 AM
@Thijs Lecomte, THANK YOU!!
I'd been going back and forth with Office 365 Support on this issue, and NONE OF THEM, responded with this basic response. No, Modern Authentication was NOT enabled for my Exchange Online environment, which is obviously a piece of what's impacting my ability to enable passwordless push MFA for native Office 365 desktop apps on a Windows 10 Business / Azure AD integrated user profile.
Again, thank you for the answer to my question.