locked
MFA For O365, App password RRS feed

  • Question

  • Hi, 

    When enabling MFA for O365 users and selecting "Do not allow users to create app passwords to sign in to non-browser apps" does this for Outlook and Skype for Business to use MFA every time a user opens the app? 

    Monday, December 19, 2016 2:01 PM

Answers

  • Hi,

    Greetings from Microsoft Azure!

    As far I know, when you select "Do not allow users to create app passwords to sign in to non-browser apps" the users will be prompted for MFA.

    Are you using Office 2013 or 2016?

    We highly recommend using modern authentication for O365. It works with both Office 2013 and Office 2016 clients, although modern auth is enabled by default in Office 2016, while registry keys needs to be enabled in Office 2013. If using modern authentication, users can use their domain passwords and perform MFA instead of having to use app passwords.

    If you own AAD Premium, you have the option to either enable your users for MFA or to configure conditional access policies on the O365 apps such as Exchange Online. When you enable a user for MFA and they go through the registration process, their MFA state is changed from Enabled to Enforced. Once enforced, they can only connect from clients that don't support modern authentication (e.g. Office 2010, iOS mail app, Android mail app) using an app password. If using conditional access for Exchange Online, you can allow Exchange ActiveSync (EAS) with regular password, or you can set a policy to only allow EAS on compliant devices.
    In that case, users can still use their regular password with EAS clients, but only on devices that have been enrolled with Intune. Otherwise, they will need to use apps that support modern authentication such as the Outlook mobile app and Office 2016.

    You should ensure that modern authentication is enabled for both Exchange Online and Skype for Business. There are links to those instructions from https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Modern authentication is enabled in your tenant for SharePoint Online by default.

    There is also some good information about modern authentication with Office 2013 and Office 2016 at https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517?ui=en-US&rs=en-US&ad=US.

    Hope that helps!

    Best Regards

    Sadiqh Ahmed
    ________________________________________________________________________________________________

    If this post was helpful to you, please up vote it and/or mark it as an answer so others can more easily find it in the future

    Tuesday, December 20, 2016 11:02 AM
  • If you have app passwords enabled and have users that are already registered for MFA, those users can delete their own app passwords, or the admin can go into the screen where you enable users for MFA, select some of the Enforced users that you want to test with and click "Manage user settings". One of the options you can select is to delete all of those users' app passwords. That doesn't necessarily prevent them from going into their profile and generating new app passwords, but will allow you to test what happens when a user doesn't have any app passwords. For users that don't have app passwords, or if you turn app passwords off for your tenant, their only option is to use a web browser (e.g. OWA) or to use apps that support modern authentication. That means that modern authentication needs to be enabled in your tenant as well per the articles referenced in Sadiqh's response above. Users who use modern authentication with apps such as Outlook 2016 don't have to perform MFA every time they sign in. Modern authentication uses an access token that expires every hour and a refresh token that expires after 14 days of non-use, with a max lifetime of 90 days. The refresh token is used to get new access tokens each hour. When a new access token is granted, a new refresh token is issued at the same time. This allows the user to keep accessing the app (e.g. Outlook) for up to 90 days without re-authenticating as long as they are using the app at least every 14 days. If you want to shorten that, you can use the "Remember MFA" feature. 

    When an admin configures the Remember MFA number of days in the MFA Service Settings page, that applies to cloud-based MFA in Azure AD. When performing MFA through Azure AD the user sees the option to “Don’t ask again for X days” when signing in with a web browser. In that case, it sets a cookie in the user’s browser so that the user doesn’t have to perform MFA again from that browser until the cookie expires. When using a client that supports modern authentication, Azure AD ensures that the MFA Max Age present in a refresh token doesn’t exceed the Remember MFA number of days configured for the tenant. So when Azure AD evaluates a refresh token to issue a new access token, it should require MFA again if the Max MFA Age in the token has exceeded the Remember MFA duration. So if you sent the Remember MFA number of days to 7, users enabled for MFA will have to re-authenticate every 7 days through Outlook or another modern auth client.
    Wednesday, December 21, 2016 5:22 PM

All replies

  • Hi,

    Thank you for contacting Microsoft forums. We are pleased to answer your query.

    The query posted by you has not reached the right forum. In order to assist best on your query, I am moving the query to the right forum.

    This will assist you with a faster reply to your query.

     

    Regards,

    Ashok

    Tuesday, December 20, 2016 6:12 AM
  • Hi,

    Greetings from Microsoft Azure!

    As far I know, when you select "Do not allow users to create app passwords to sign in to non-browser apps" the users will be prompted for MFA.

    Are you using Office 2013 or 2016?

    We highly recommend using modern authentication for O365. It works with both Office 2013 and Office 2016 clients, although modern auth is enabled by default in Office 2016, while registry keys needs to be enabled in Office 2013. If using modern authentication, users can use their domain passwords and perform MFA instead of having to use app passwords.

    If you own AAD Premium, you have the option to either enable your users for MFA or to configure conditional access policies on the O365 apps such as Exchange Online. When you enable a user for MFA and they go through the registration process, their MFA state is changed from Enabled to Enforced. Once enforced, they can only connect from clients that don't support modern authentication (e.g. Office 2010, iOS mail app, Android mail app) using an app password. If using conditional access for Exchange Online, you can allow Exchange ActiveSync (EAS) with regular password, or you can set a policy to only allow EAS on compliant devices.
    In that case, users can still use their regular password with EAS clients, but only on devices that have been enrolled with Intune. Otherwise, they will need to use apps that support modern authentication such as the Outlook mobile app and Office 2016.

    You should ensure that modern authentication is enabled for both Exchange Online and Skype for Business. There are links to those instructions from https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Modern authentication is enabled in your tenant for SharePoint Online by default.

    There is also some good information about modern authentication with Office 2013 and Office 2016 at https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517?ui=en-US&rs=en-US&ad=US.

    Hope that helps!

    Best Regards

    Sadiqh Ahmed
    ________________________________________________________________________________________________

    If this post was helpful to you, please up vote it and/or mark it as an answer so others can more easily find it in the future

    Tuesday, December 20, 2016 11:02 AM
  • Hi!

    Thank you for the quick response! We are using Office 2016 but AAD Basic, not premium. We are trying to avoid using the app password and using MFA for all clients log ins. Do you know if we can turn the app password off for a couple of users to test out? We do not want to effect the entire tenant but just test the MFA feature for all clients ie... Outlook 2016 or Skype for Business. Thanks again for the prompt response!

    Best regards,

    Jason Tremper

    Tuesday, December 20, 2016 2:22 PM
  • If you have app passwords enabled and have users that are already registered for MFA, those users can delete their own app passwords, or the admin can go into the screen where you enable users for MFA, select some of the Enforced users that you want to test with and click "Manage user settings". One of the options you can select is to delete all of those users' app passwords. That doesn't necessarily prevent them from going into their profile and generating new app passwords, but will allow you to test what happens when a user doesn't have any app passwords. For users that don't have app passwords, or if you turn app passwords off for your tenant, their only option is to use a web browser (e.g. OWA) or to use apps that support modern authentication. That means that modern authentication needs to be enabled in your tenant as well per the articles referenced in Sadiqh's response above. Users who use modern authentication with apps such as Outlook 2016 don't have to perform MFA every time they sign in. Modern authentication uses an access token that expires every hour and a refresh token that expires after 14 days of non-use, with a max lifetime of 90 days. The refresh token is used to get new access tokens each hour. When a new access token is granted, a new refresh token is issued at the same time. This allows the user to keep accessing the app (e.g. Outlook) for up to 90 days without re-authenticating as long as they are using the app at least every 14 days. If you want to shorten that, you can use the "Remember MFA" feature. 

    When an admin configures the Remember MFA number of days in the MFA Service Settings page, that applies to cloud-based MFA in Azure AD. When performing MFA through Azure AD the user sees the option to “Don’t ask again for X days” when signing in with a web browser. In that case, it sets a cookie in the user’s browser so that the user doesn’t have to perform MFA again from that browser until the cookie expires. When using a client that supports modern authentication, Azure AD ensures that the MFA Max Age present in a refresh token doesn’t exceed the Remember MFA number of days configured for the tenant. So when Azure AD evaluates a refresh token to issue a new access token, it should require MFA again if the Max MFA Age in the token has exceeded the Remember MFA duration. So if you sent the Remember MFA number of days to 7, users enabled for MFA will have to re-authenticate every 7 days through Outlook or another modern auth client.
    Wednesday, December 21, 2016 5:22 PM