Allow only some users to create app passwords
App passwords are a bad idea. They are ugly enough that users are going to write them down on a post it and leave it on their desk. (Which is worse for security)
I don't want some of my users to be able to create App passwords, like external partners who have internal accounts. But it looks like this is only a global setting.
It would be nice if I could be more granular with this control.
Transforming the "allow users to create app passwords" setting from tenant-wide to user-based. IT could be deployed the same way that "per-user MFA" is deployed. It could even use the same MFA menu.
That would give complete control for a Global Admin to deploy MFA & enable/disable app password creation for specific users.
Transforming the "allow users to create app passwords" setting from tenant-wide to user-based, in a similar way to "per-user MFA", targeting specific users.
This way, a Global Admin would have a complete control to deploy MFA & enable/disable app password on a per user level.
A smart attack approach would be to create app passwords where possible. Most users wouldn't even know they have one, and if you named it something like "HelpDesk - Do Not Delete" they would leave it alone even if they found it.
Now you've got a login that bypasses MFA, and is not affected by password change.
This is a crazy state to leave app passwords in!
agreed. 99% of my users do not require app passwords. I only require them for a few users, mainly admins using legacy software like sharepoint designer. The whole security principle of minimum required privilege is not being followed by the current settings.
Whats more to make things even worse, if allow app passwords setting is turned on, then every single new user is automatically created an app password when enabling MFA whether they want it or not. This is just bad practice plain and simple.