none
[MFA] App Password Scopes and Questions

    Question

  • Hi All,

    Recently we found the app password can be used to access the Office 365 directory information via Provisioning API (https://provisioningapi.microsoftonline.com/provisioningwebservice.svc ). However I didn't find any information about the access scope of app password, as far as I know, the app password only works for exchange, SharePoint, Lync. So my questions are:

    1. What's the access scope for app password?

    2. The app password used to access Office 365 directory information only works for local machine to access the local Office 365 tenant. For example, one cloud VM located in U.S. cannot access the Australian Office 365 tenant because of the authentication failed, however the Australian VM can do this.

    Anyone can help this? Thank you.

    The original comments posted here


    Long


    Thursday, January 4, 2018 12:48 AM

All replies

  • Hi,

    The App password are a replacement of your user credentials and multifactor authentication.

    Which MFA solution are you using:

    • Azure MFA for Office 365;
    • Azure MFA for Azure AD;

    This is where the scope is defined for which services.

    In regards for the region limitation, I don't where this is coming from.

    MFA itself is not able to limit for region. This can be done within Azure AD and Conditional Access.

    With kind regards,

    Bas Arkesteijn

    Thursday, January 4, 2018 12:40 PM
  • Hi Bas,

    We are using Azure MFA for Office 365.

    About the second question, we are testing the following PowerShell Cmdlet in different region, and got different results:

    $SecPass = ConvertTo-SecureString "****" -AsPlainText -Force
    $O365Cred = New-Object System.Management.Automation.PSCredential ("***", $SecPass)
    Connect-MsolService –Credential $O365Cred
    Get-MsolCompanyInformation

    The MSOnline Version is 1.0 (not 1.1 or 2.0), the version 1.0 is using the live id token (IDCRL) method to do authentication, and the script works well in non-U.S. region. However we didn't configure any conditional access for this MFA user.

    We tried to open a support ticket in Office 365, but no result from the support team because this is out of their knowledge. So that's why I posted here.

    Please let me know if you need more information, thank you for your help.

    Best Regards,

    Long


    Long

    Monday, January 8, 2018 5:51 AM
  • @long liang, An app password is working with the provisioning API, this isn't clear to me. App passwords are designed to work with legacy authentication when per-user MFA is enforced. In that case, MFA can’t be performed so the app password is required instead of the regular password.
    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.
    Tuesday, January 9, 2018 6:42 AM
    Moderator
  • The current version of the MSOnline module is 1.1.166.0. Suggest you to use this module to see if the problem persists there.
    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.
    Thursday, January 11, 2018 6:27 AM
    Moderator
  • Hi Sadiqh,

    Yes, as far as I know, the app password should not be able to access the provision api, but the problem is that the app password can access the provision api with MSOnline 1.0 version, I'm not sure if it's a bug or design? If it's a bug, it should be security issue. However no one treat it as an issue!

    I tested the MSOnline Version 1.1.166.0 which is not using the IDCRL authentication, it's using the ADAL to do authentication, so the app password doesn't work.

    Any questions please let me know, thank you for your input and suggestion.

    Best Regards,

    Long


    Long

    Friday, January 12, 2018 2:27 AM