Blog Post

Microsoft Entra Blog
3 MIN READ

Public Preview: Authenticator Lite (in Outlook)

Alex Weinert's avatar
Alex Weinert
Former Employee
Apr 18, 2023

Two years ago, we shared that “It's Time to Hang Up on Phone Transports for Authentication.” Today, we’re adding the public preview of Authenticator Lite to the tools we are offering to help you move from text message (SMS) and voice-based authentication. Our priority is getting every user to sign in with modern strong authentication – passwordless, hardened against phishing, easy to use and adaptable to evolving attacks. 

 

Our top recommendation for modern strong authentication is the https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-authenticator-app, which offers the most robust security features, updated the most frequently, for free. Microsoft Authenticator app has over 100 million users worldwide who trust it as a secure and easy way to authenticate, making it the most popular way to sign in with strong authentication in Azure.  

 

Because modern strong authentication is so important, we're making it even more accessible by embedding it right into the Outlook client! We call this embedded experience https://aka.ms/authappliteadmindocs - and we're excited to announce it is now in public preview! For users that haven’t yet downloaded Authenticator, they can now complete MFA for their work or school account for free using the Outlook app on their iOS or Android devices. Users can approve authentication requests and receive TOTP codes, bringing the security of Authenticator to a convenient location while simplifying users’ move off phone transports for authentication. 

 

During public preview, admins can choose to enable or disable this capability for a group of users or to leave the feature in a Microsoft managed state. Enabling a group for Authenticator Lite is possible from the Entra portal via the Authenticator configuration page.  It’s also possible to https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite#enable-authenticator-lite

 

 

 

Authenticator Lite, as the name suggests, will extend a subset of the Authenticator’s capabilities into Outlook. Each verification notification will include a number matching prompt and biometric or pin verification if enabled on the device. More information on the Authenticator Lite notification configurations can be found https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite#enable-authenticator-lite 

 

Once enabled for Authenticator Lite, users on the https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite#prerequisites without the Authenticator app will be prompted to register Outlook as an MFA method when they launch the app on their device.  

 

 

 

Once users are registered, during their next authentication, users will be prompted to authenticate using a push notification in their Outlook app.  

 

 

 

Registered users will also have access to a TOTP code found in their Outlook settings under Authenticator.  

 

 

 

For more information on enabling this feature for your users, see https://aka.ms/authAppLiteAdminDocs. Rollout to support this feature in Outlook is currently underway. 

 

This feature will roll out to tenants in the state https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-default-enablement’. For the duration of public preview, leaving the feature set to ‘Microsoft managed’ will have no impact on your users and the feature will remain turned off unless you explicitly change the state to enabled. In late April 2023, we will remove preview tags and enter general availability. On June 9, 2023, if the feature is left set to ‘Microsoft managed,’ your tenant will be enabled for Authenticator Lite by Microsoft. If you do not wish for this feature to be enabled on June 9, set the state to ‘disabled’ or assign users to include and exclude groups prior to June 9.  

 

We hope you and your users enjoy this new feature, and, as always, please let us know of any questions or feedback by leaving comments down below or reaching out to us at http://aka.ms/azureADfeedback 
 

Regards, 

Alex Weinert

VP Director of Identity Security, Microsoft   

Microsoft Identity Division 

 

 

Learn more about Microsoft identity:  

  • Get to know Microsoft Entra – a comprehensive identity and access product family  
  • Return to the Microsoft Entra (Azure AD) blog home   
  • Join the conversation on https://twitter.com/azuread/status/1278418103903363074 and https://www.linkedin.com/showcase/microsoft-security/  
  • Share product suggestions on the https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789 
Updated May 18, 2023
Version 2.0

5 Comments

  • Little_Joe's avatar
    Little_Joe
    Bronze Contributor

    Why only available for Outlook mobile app? Can it just expand to rest of M365 apps as well? 

  • NJoern's avatar
    NJoern
    Copper Contributor

    This answer my question and the question from Ian

     

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite

  • NJoern's avatar
    NJoern
    Copper Contributor

    Can the new Authenticator Lite feature in Outlook Mobile also take over the function of the Broker App?

     

    https://learn.microsoft.com/en-us/MEM/intune/protect/app-based-conditional-access-intune

     

     

  • Domcote's avatar
    Domcote
    Copper Contributor

    Sounds nice. 👍

    How about leveraging Googles MFA notifications which are built in to android? No need for apps at all. 

  • Ian Noble's avatar
    Ian Noble
    Copper Contributor

    Can this co-exist with full fat authenticator app, so the user can choose? Or is it an either/or choice?