Enable app password creation when MFA is enforced using Azure Conditional Access
I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.
I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that don't support ADAL completely. Even though one could argue that this is a condition based access where we want MFA when a particular resource is being accessed. Well, the point is that even if we're enabling it for the user in the classic portal, that is still the goal. We want MFA! So, I don't see why you would give the option to create app passwords only for one of them and not the other.
Marc Rodieck commented
This is very frustrating, has anybody found a way around this? So basically if you have a conditional access policy enforcing MFA, you cannot use app passwords?
Jake Ives commented
It is frustrating that it is currently not possible to generate an app password for an account when MFA has been enforced via a Conditional Access Policy.
We want to be able to enforce MFA under certain conditions but not others and also want new users to be able to use Skype. Currently this is not possible as using Conditional Access for MFA does not present app passwords to users on registration. Seems like a huge gap.
Baseline policy: Require MFA for admins (preview)
Baseline policy: End user protection (preview)
We have enabled these policies, but need to use app-password :(
Thank You, all the hours I spent going through every item in Azure and O365 and thinking I missed something is now known as time wasted, though not my fault??
Customer has new employee that must have iOS resident email app.
For MFA and Email on iOS,
Intune Company Portal on the App Store + Outlook app work perfect
Tom Turpin commented
I have tested with not enabling the MFA policy for both Modern authentication clients and Exchange ActiveSync clients. I have found that Android clients can add the account.
For Apple devices though, I had to approve Apple as an Enterprise application to get it working. This process meant getting the URL for the username entry on an Apple device into a PC so that I could alter the URL to enable an Admin to Approve it as an Enterprise Application in Azure.
Instructions are here: https://bit.ly/2F66Wa7
Long URL is:
Tom Turpin commented
Still unsolved. I have a client with 5,000 licenses, and cannot create app passwords due when using the conditional MFA Policy.
I guess one could exempt Android from MFA and create conditional access policy that requires the device marked as compliant and then require strict config polices in Intune instead of poking a hole in MFA security with a static app password that doesn't follow password rotation policies... #tradeoffs
Application passwords should probably be available independent of Microsoft's MFA. For example if you use DUO MFA via conditional access, there seems to be no way to allow a user to create application passwords without enrolling them in two different MFA methods.
Greg Lamb commented
Considering Skype for Business requires an App Password it's pretty lame that we can't use conditional access policy. If I exclude Skype that creates a hole
Anuj Rana commented
You can now block legacy clients using conditional access. Clients using Active sync, IMAP, POP, SMTP etc can be blocked using CAP on Portal.azure.com
We need this too! Still not solved (June 2018).
What is the point in setting MFA if you can bypass it on Adroid??
We also need this!
John Fedor commented
Conditional access only works with modern-auth applications. Non-modern auth applications bypass conditional access checks (such as Outlook 2010, Outlook 2013 without the registry tweak), so app-password wouldn't be applicable in conditional access scenarios.
Will there be a day when the MS dev teams actually read the feedback?
We need this too!
Has this ever been solved?