What to do if you cannot create an app password in Microsoft 365

Cannot create app password in Office 365_OG

Some non-browser applications and services for Microsoft 365 use app passwords as an authentication method when multi-factor authentication (MFA) is enabled. The problem is that after enabling MFA for the organization, some or even all users may not be able to create and use app passwords.

What are app passwords?

App passwords are created for each MFA-enabled account to allow signing in to non-browser applications (in which case you are unable to use additional security verification methods, such as providing a code sent via a text message or approving a notification through the Microsoft Authenticator app). Those passwords don’t expire, and you can use them in different programs at the same time. However, from the security perspective, the best practice is to use one password per app, especially since each user can create up to 40 app passwords. This way, if any of those passwords gets compromised, you can delete it and continue using the remaining ones.

Microsoft security policies prevent creating app passwords in Microsoft 365

There are two most common reasons why a certain user might not be able to create or use an app password. The first is that users aren’t allowed to do so, the second – the specific user doesn’t have MFA enabled in the legacy MFA portal. See how to fix each of those issues below.

Allow users to create app passwords

  1. Open the Microsoft 365 admin center and go to Users > Active users. Click the Multi-factor authentication button while no users are selected. This will let you access MFA settings. You need to be in the Authentication Administrator role (or the Global Administrator one) to access this resource.
Accessing the legacy per-user MFA settings from the  Microsoft 365 admin center
  1. (Optional) If you see the following screen, click Legacy per-user MFA to proceed.
Accessing the legacy per-user MFA settings from MFA wizard in the Microsoft 365 admin center
  1. On the service settings tab, choose Allow users to create app passwords to sign in to non-browser apps and save changes.
Allowing users to create app passwords in Microsoft 365

If this option is already enabled, but your users still cannot create app passwords, try the solution below.

Enable and enforce MFA for a chosen user

Users who don’t have MFA enabled will not be able to use app passwords. To allow those users to create and use app passwords, you must first turn MFA on and then enforce MFA for them, as shown below.

  1. In the MFA portal you accessed in the previous section, you can check which users have MFA turned on. If the affected user cannot create app passwords, enable MFA for them by selecting the user and choosing Enable. Confirm your choice in the popup that opens.
Enabling MFA for a single user in Microsoft 365
  1. Next, select the same user again and enforce MFA for them by clicking Enforce. Again, confirm your choice by clicking enforce multi-factor auth in the popup that shows up.
Enforcing MFA for a single user in Microsoft 365
  1. Changes applied in the MFA portal can take a while to propagate. It may be also necessary for the affected user to sign out and sign in to their Microsoft 365 account. To make it quicker, you can go to the Active users page again and force sign-out the user:
Signing a user out of all sessions in Microsoft 365

Now, the app password should appear for the user as one of the available authentication methods on the Security info page (link).

App password becomes available as a sign-in method on the Security info page in Microsoft 365

See also:

Tools for Microsoft 365

Recommended articles

How to connect and remotely manage Microsoft 365 with PowerShell

How to connect and remotely manage Microsoft 365 with PowerShell

Microsoft 365 web interface was designed to make it easier to manage your tenant right down to its administrative bowels. On the one hand it really is quick and simple to navigate, on the other it definitely lacks some advanced configuration options so loved by sysadmins. Luckily there is the mighty PowerShell coming to the rescue! You should already know its potential, which can also be utilized in Microsoft 365. Find out how.
New-ComplianceSearch: how to use the newer version of Search-Mailbox

New-ComplianceSearch: how to use the newer version of Search-Mailbox

Microsoft retired the Search-Mailbox cmdlet – now what? Discover how to use New-ComplianceSearch, its key advantages and how to make the switch seamlessly.
How to start remote PowerShell session to Exchange or Microsoft 365

How to start remote PowerShell session to Exchange or Microsoft 365

One of many features of the PowerShell command line tool is its ability to connect with and manage the Exchange Server remotely. The procedure described below applies to the classic on-prem Exchange server and to the Microsoft 365/Exchange Online version.

Comments

    • avatar
      Adam the 32-bit Aardvark says:

      Despite being labeled as “legacy”, app passwords should still work, they weren’t made obsolete, yet. If you’re experiencing problems after going through the steps mentioned in the article, I’d recommend diving into your Conditional Access Policies. They might be blocking legacy authentication methods.

  1. Thanks a lot. Great HowTo!

    Please mind that you will be only able to add a App Password once you have a different MFA option properly set up (e.g. Phone Call, Authenticator).

  2. 4 hours later, I read the comments. I am so happy you shared the secret button. MS Docs are crapat best. and now, ENTRA replaces AZURE…. but WHY change for change sake, just because a member of the Azure tribe in Madagascar might be offended? Jimminey Christ, enough already. Gonna close my practice and start a lawn mowing company where the name of a lawn mower will always be “lawn mower” and not changed to EntraZure or anything else. EVER.

  3. Thanks at E this was the solution we searched for an hour to find this option. Crazy microsoft did not update the documentation

  4. Make sure to go back to the MFA where you clicked enable for the user and also click Enforce. If you don’t have a policy Enforcing it already. Once you do this, then the app password option will show up.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.