How can we improve Azure Active Directory?

Enable app password creation when MFA is enforced using Azure Conditional Access

I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that don't support ADAL completely. Even though one could argue that this is a condition based access where we want MFA when a particular resource is being accessed. Well, the point is that even if we're enabling it for the user in the classic portal, that is still the goal. We want MFA! So, I don't see why you would give the option to create app passwords only for one of them and not the other.

65 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Vishal Gupta shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

12 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Tom Turpin commented  ·   ·  Flag as inappropriate

    I have tested with not enabling the MFA policy for both Modern authentication clients and Exchange ActiveSync clients. I have found that Android clients can add the account.

    For Apple devices though, I had to approve Apple as an Enterprise application to get it working. This process meant getting the URL for the username entry on an Apple device into a PC so that I could alter the URL to enable an Admin to Approve it as an Enterprise Application in Azure.

    Instructions are here: https://bit.ly/2F66Wa7

    Long URL is:
    https://www.admin-enclave.com/de/articles-by-year/46-data-articles/website_articles/articles/office-365/410-resolved-ios-accounts-needs-permission-to-access-resources-in-your-organization-that-only-an-admin-can-grant.html

  • Tom Turpin commented  ·   ·  Flag as inappropriate

    Still unsolved. I have a client with 5,000 licenses, and cannot create app passwords due when using the conditional MFA Policy.

  • Anonymous commented  ·   ·  Flag as inappropriate

    upvoted.
    I guess one could exempt Android from MFA and create conditional access policy that requires the device marked as compliant and then require strict config polices in Intune instead of poking a hole in MFA security with a static app password that doesn't follow password rotation policies... #tradeoffs

  • Anonymous commented  ·   ·  Flag as inappropriate

    Application passwords should probably be available independent of Microsoft's MFA. For example if you use DUO MFA via conditional access, there seems to be no way to allow a user to create application passwords without enrolling them in two different MFA methods.

  • Greg Lamb commented  ·   ·  Flag as inappropriate

    Considering Skype for Business requires an App Password it's pretty lame that we can't use conditional access policy. If I exclude Skype that creates a hole

  • Anuj Rana commented  ·   ·  Flag as inappropriate

    You can now block legacy clients using conditional access. Clients using Active sync, IMAP, POP, SMTP etc can be blocked using CAP on Portal.azure.com

  • Anonymous commented  ·   ·  Flag as inappropriate

    We need this too! Still not solved (June 2018).
    What is the point in setting MFA if you can bypass it on Adroid??

  • John Fedor commented  ·   ·  Flag as inappropriate

    Conditional access only works with modern-auth applications. Non-modern auth applications bypass conditional access checks (such as Outlook 2010, Outlook 2013 without the registry tweak), so app-password wouldn't be applicable in conditional access scenarios.

  • S commented  ·   ·  Flag as inappropriate

    Will there be a day when the MS dev teams actually read the feedback?

Feedback and Knowledge Base