Enable app password creation when MFA is enforced using Azure Conditional Access
I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.
I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that don't support ADAL completely. Even though one could argue that this is a condition based access where we want MFA when a particular resource is being accessed. Well, the point is that even if we're enabling it for the user in the classic portal, that is still the goal. We want MFA! So, I don't see why you would give the option to create app passwords only for one of them and not the other.
Tom Turpin commented
I have tested with not enabling the MFA policy for both Modern authentication clients and Exchange ActiveSync clients. I have found that Android clients can add the account.
For Apple devices though, I had to approve Apple as an Enterprise application to get it working. This process meant getting the URL for the username entry on an Apple device into a PC so that I could alter the URL to enable an Admin to Approve it as an Enterprise Application in Azure.
Instructions are here: https://bit.ly/2F66Wa7
Long URL is:
Tom Turpin commented
Still unsolved. I have a client with 5,000 licenses, and cannot create app passwords due when using the conditional MFA Policy.
I guess one could exempt Android from MFA and create conditional access policy that requires the device marked as compliant and then require strict config polices in Intune instead of poking a hole in MFA security with a static app password that doesn't follow password rotation policies... #tradeoffs
Application passwords should probably be available independent of Microsoft's MFA. For example if you use DUO MFA via conditional access, there seems to be no way to allow a user to create application passwords without enrolling them in two different MFA methods.
Greg Lamb commented
Considering Skype for Business requires an App Password it's pretty lame that we can't use conditional access policy. If I exclude Skype that creates a hole
Anuj Rana commented
You can now block legacy clients using conditional access. Clients using Active sync, IMAP, POP, SMTP etc can be blocked using CAP on Portal.azure.com
We need this too! Still not solved (June 2018).
What is the point in setting MFA if you can bypass it on Adroid??
We also need this!
John Fedor commented
Conditional access only works with modern-auth applications. Non-modern auth applications bypass conditional access checks (such as Outlook 2010, Outlook 2013 without the registry tweak), so app-password wouldn't be applicable in conditional access scenarios.
Will there be a day when the MS dev teams actually read the feedback?
We need this too!
Has this ever been solved?