• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 65
  • Last Modified:

2-Factor Authentication - Bypass/Remove App Password Option

I am trying to test Microsoft Two-Factor Authentication, we are currently in a Hybrid Office 365 environment with 99.9% of our mailboxes in the cloud.
Personally, after enabling 2FA on my account in Azure... I get prompted for my credentials, then it calls my mobile phone as expected. Works great.

The only issue I seem to be having is that my mobile device is prompting me for my Exchange mailbox profile password, and it wont except my current network password, come to find that I need to generate an APP Password, which is going to make it so painful to mass deploy to end users.

Is there any way to NOT use the app password and allow the current network password to be accepted when prompted?
Christian Hans
Christian Hans
2 Solutions
Vasil Michev (MVP)Commented:
Yes, use clients/applications that support Modern authentication. And modern authentication needs to be enabled tenant-wide: https://support.office.com/en-us/article/using-office-365-modern-authentication-with-office-clients-776c0036-66fd-41cb-8928-5495c0f9168a
if you are using pre outlook 2013 (i.e. 2010), app password cannot be skipped once you enabled MFA, because outlook 2010 do not support modern authentication
In that case don't enable MFA for those users or upgrade them to at least Office 2013 SP1 or above versions
Eric WoodfordSoftware Systems Specialist 3Commented:
We recently deployed o365 with 2fa.

1) 2FA (and no app passwords) requires that your ADFS is running in Modern Auth. Standard Auth (as stated above) requires app passwords. The App Password prompt (in Oulook) looks identical to a user credential prompt. We didn't want our users to need to enter a new app password with each AD password change, so we changed over to Modern Auth.

2) make sure your mobile application supports 2-factor. I'd suggest (as what we're using) requiring your clients use the Outlook app on their phones.

As an addition to Mahesh's comment, Outlook 2013SP1 is by default Standard Auth, so you need to configure the two registry keys to enable it. (ref: https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910). Outlook 2016 has Modern Auth enabled by default.

Are you using the O365 MDM solution? Intune installed? Mobile authenticator configured on your phone?  The password prompt could actually be the intune solution failing to configure it self as a device administrator. We pushed down mobile policies that require device encryption. When it fails to enable this option, the user get's a very degraded performance.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now