2-Factor Authentication - Bypass/Remove App Password Option

I am trying to test Microsoft Two-Factor Authentication, we are currently in a Hybrid Office 365 environment with 99.9% of our mailboxes in the cloud.
Personally, after enabling 2FA on my account in Azure... I get prompted for my credentials, then it calls my mobile phone as expected. Works great.

The only issue I seem to be having is that my mobile device is prompting me for my Exchange mailbox profile password, and it wont except my current network password, come to find that I need to generate an APP Password, which is going to make it so painful to mass deploy to end users.

Is there any way to NOT use the app password and allow the current network password to be accepted when prompted?
Christian HansUndecided... Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Yes, use clients/applications that support Modern authentication. And modern authentication needs to be enabled tenant-wide: https://support.office.com/en-us/article/using-office-365-modern-authentication-with-office-clients-776c0036-66fd-41cb-8928-5495c0f9168a
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
if you are using pre outlook 2013 (i.e. 2010), app password cannot be skipped once you enabled MFA, because outlook 2010 do not support modern authentication
In that case don't enable MFA for those users or upgrade them to at least Office 2013 SP1 or above versions
0
Eric WoodfordSoftware Systems Specialist 3Commented:
We recently deployed o365 with 2fa.

1) 2FA (and no app passwords) requires that your ADFS is running in Modern Auth. Standard Auth (as stated above) requires app passwords. The App Password prompt (in Oulook) looks identical to a user credential prompt. We didn't want our users to need to enter a new app password with each AD password change, so we changed over to Modern Auth.

2) make sure your mobile application supports 2-factor. I'd suggest (as what we're using) requiring your clients use the Outlook app on their phones.

As an addition to Mahesh's comment, Outlook 2013SP1 is by default Standard Auth, so you need to configure the two registry keys to enable it. (ref: https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910). Outlook 2016 has Modern Auth enabled by default.

Are you using the O365 MDM solution? Intune installed? Mobile authenticator configured on your phone?  The password prompt could actually be the intune solution failing to configure it self as a device administrator. We pushed down mobile policies that require device encryption. When it fails to enable this option, the user get's a very degraded performance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.