Some applications and services for Microsoft 365 (for example, Skype for Business) use app passwords as an authentication method when multi-factor authentication (MFA) is enabled. The problem is that after enabling MFA for the organization, some or even all users may not be able to create and use app passwords. This article shows what you can do if you find out that app passwords are not working in your Microsoft 365 tenant.
What are app passwords?
App passwords are created for each MFA-enabled account to allow signing in to non-browser applications (in which case you are unable to use additional security verification methods, such as providing a code sent via a text message or approving a notification through the Microsoft Authenticator app). Those passwords don’t expire, and you can use them in different programs at the same time. However, from the security perspective, the best practice is to use one password per app, especially since each user can create up to 40 app passwords. This way, if any of those passwords gets compromised, you can delete it and continue using the remaining ones.
Microsoft security policies prevent creating app passwords in Microsoft 365
There are two most common reasons why a certain user might not be able to create or use an app password. The first is that users have no rights to do aren’t allowed to do so, the second – the specific user doesn’t have MFA enabled. See how to fix each of those issues below.
Allow users to create app passwords
- Open the Microsoft 365 admin center and go to Users > Active users. Click the Multi-factor authentication button while no users are selected. This will let you access MFA settings. You need to be in the Authentication Administrator Azure AD role (or a Global Administrator) to have access to this resource.
- In the service settings tab, choose the Allow users to create app passwords to sign in to non-browser apps option and save changes.
If this option was already checked or if users still cannot create app passwords, try the solution below.
Enable MFA for a chosen user
Users who don’t have MFA enabled will not be able to use app passwords. Those users don’t require app passwords – they will use their standard user password whenever it is needed to log in to Microsoft 365 using non-browsers applications. To allow those users to create and use app passwords, you must first turn MFA for them.
- In the MFA portal (where you allow users to create app passwords) you can check which users have MFA turned on. If a certain user cannot create app passwords, enable MFA for them. If the authentication is already set to Enabled, restart it by disabling and enabling it again.
- Changes applied in the MFA portal can take a while to propagate. It may be also necessary for the affected user to sign out and sign in to their Microsoft 365 account. To make it quicker, you can go to the Active users pane again and force sign-out the user:
- If the user still cannot select app password, try disabling and reenabling MFA again.
Thanks at E this was the solution we searched for an hour to find this option. Crazy microsoft did not update the documentation
Thank you very much for this hint, you saved my day!
Make sure to go back to the MFA where you clicked enable for the user and also click Enforce. If you don’t have a policy Enforcing it already. Once you do this, then the app password option will show up.