{ "id": "d6f6474c-9e96-490a-af0b-789ff9d3a3e9", "created_at": "2026-04-06T03:35:57.862876Z", "updated_at": "2026-04-10T03:20:54.664067Z", "deleted_at": null, "sha1_hash": "997e9745827ba8f43fcfed75625ecd64ad6bcc7c", "title": "Configure app passwords for Microsoft Entra multifactor authentication - Microsoft Entra ID", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65754, "plain_text": "Configure app passwords for Microsoft Entra multifactor\r\nauthentication - Microsoft Entra ID\r\nBy Justinha\r\nArchived: 2026-04-06 02:11:35 UTC\r\nEnforce Microsoft Entra multifactor authentication with legacy applications using\r\napp passwords\r\nSome older, non-browser apps like Office 2010 or earlier and Apple Mail before iOS 11 don't understand pauses\r\nor breaks in the authentication process. A Microsoft Entra multifactor authentication (Microsoft Entra multifactor\r\nauthentication) user who attempts to sign in to one of these older, non-browser apps, can't successfully\r\nauthenticate. To use these applications in a secure way with Microsoft Entra multifactor authentication enforced\r\nfor user accounts, you can use app passwords. These app passwords replaced your traditional password to allow\r\nan app to bypass multifactor authentication and work correctly.\r\nModern authentication is supported for the Microsoft Office 2013 clients and later. Office 2013 clients, including\r\nOutlook, support modern authentication protocols and can work with two-step verification. After Microsoft Entra\r\nmultifactor authentication is enforced, app passwords aren't required for the client.\r\nThis article shows you how to use app passwords for legacy applications that don't support multifactor\r\nauthentication prompts.\r\nNote\r\nApp passwords don't work for accounts that are required to use modern authentication.\r\nWhen a user account is enforced for Microsoft Entra multifactor authentication, the regular sign-in prompt is\r\ninterrupted by a request for additional verification. Some older applications don't understand this break in the sign-in process, so authentication fails. To maintain user account security and leave Microsoft Entra multifactor\r\nauthentication enforced, app passwords can be used instead of the user's regular username and password. When an\r\napp password is used during sign-in, there's no additional verification prompt, so authentication is successful.\r\nApp passwords are automatically generated, not specified by the user. This automatically generated password\r\nmakes it harder for an attacker to guess, so is more secure. Users don't have to keep track of the passwords or\r\nenter them every time as app passwords are only entered once per application.\r\nWhen you use app passwords, the following considerations apply:\r\nThere's a limit of 40 app passwords per user.\r\nApplications that cache passwords and use them in on-premises scenarios can fail because the app\r\npassword isn't known outside the work or school account. An example of this scenario is Exchange emails\r\nhttps://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords\r\nPage 1 of 4\n\nthat are on-premises, but the archived mail is in the cloud. In this scenario, the same password doesn't\r\nwork.\r\nAfter Microsoft Entra multifactor authentication is enforced on a user's account, app passwords can be used\r\nwith most non-browser clients like Outlook and Microsoft Skype for Business. However, administrative\r\nactions can't be performed by using app passwords through non-browser applications, such as Windows\r\nPowerShell. The actions can't be performed even when the user has an administrative account.\r\nTo run PowerShell scripts, create a service account with a strong password and don't enforced the\r\naccount for two-step verification.\r\nIf you suspect that a user account is compromised and revoke / reset the account password, app passwords\r\nshould also be updated. App passwords aren't automatically revoked when a user account password is\r\nrevoked / reset. The user should delete existing app passwords and create new ones.\r\nFor more information, see Create and delete app passwords from the Additional security verification\r\npage.\r\nWarning\r\nApp passwords don't work in hybrid environments where clients communicate with both on-premises and cloud\r\nauto-discover endpoints. Domain passwords are required to authenticate on-premises. App passwords are required\r\nto authenticate with the cloud.\r\nApp password names should reflect the device on which they're used. If you have a laptop that has non-browser\r\napplications like Outlook, Word, and Excel, create one app password named Laptop for these apps. Create\r\nanother app password named Desktop for the same applications that run on your desktop computer.\r\nIt's recommended to create one app password per device, rather than one app password per application.\r\nMicrosoft Entra ID supports federation, or single sign-on (SSO), with on-premises Active Directory Domain\r\nServices (AD DS). If your organization is federated with Microsoft Entra ID and you're using Microsoft Entra\r\nmultifactor authentication, the following app password considerations apply:\r\nNote\r\nThe following points apply only to federated (SSO) customers.\r\nApp passwords are verified by Microsoft Entra ID, and therefore, bypass federation. Federation is actively\r\nused only when setting up app passwords.\r\nThe Identity Provider (IdP) is not contacted for federated (SSO) users, unlike the passive flow. The app\r\npasswords are stored in the work or school account. If a user leaves the company, the user's information\r\nflows to the work or school account by using DirSync in real time. The disable / deletion of the account\r\ncan take up to three hours to synchronize, which can delay the disable / deletion of the app password in\r\nMicrosoft Entra ID.\r\nOn-premises client Access Control settings aren't honored by the app passwords feature.\r\nNo on-premises authentication logging or auditing capability is available with the app passwords feature.\r\nSome advanced architectures require a combination of credentials for multifactor authentication with clients.\r\nThese credentials can include a work or school account username and passwords, and app passwords. The\r\nhttps://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords\r\nPage 2 of 4\n\nrequirements depend on how the authentication is performed. For clients that authenticate against an on-premises\r\ninfrastructure, a work or school account username and password a required. For clients that authenticate against\r\nMicrosoft Entra ID, an app password is required.\r\nFor example, suppose you have the following architecture:\r\nYour on-premises instance of Active Directory is federated with Microsoft Entra ID.\r\nYou use Exchange online.\r\nYou use Skype for Business on-premises.\r\nYou use Microsoft Entra multifactor authentication.\r\nIn this scenario, you use the following credentials:\r\nTo sign in to Skype for Business, use your work or school account username and password.\r\nTo access the address book from an Outlook client that connects to Exchange online, use an app password.\r\nBy default, users can't create app passwords. The app passwords feature must be enabled before users can use\r\nthem. To give users the ability to create app passwords, admin needs to complete the following steps:\r\n1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.\r\n2. Browse to Conditional Access \u003e Named locations.\r\n3. Select \"Configure MFA trusted IPs\" in the bar across the top of the Conditional Access | Named\r\nLocations window.\r\n4. On the Multifactor authentication page, select the Allow users to create app passwords to sign in to\r\nnon-browser apps option.\r\nNote\r\nIf App passwords are enabled, users will be required to create an app password as part of Microsoft Entra\r\nmultifactor authentication registration.\r\nWhen you disable the ability for users to create app passwords, existing app passwords continue to work.\r\nHowever, users can't manage or delete those existing app passwords once you disable this ability.\r\nhttps://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords\r\nPage 3 of 4\n\nWhen you disable the ability to create app passwords, it's also recommended to create a Conditional Access policy\r\nto disable the use of legacy authentication. This approach prevents existing app passwords from working, and\r\nforces the use of modern authentication methods.\r\nWhen users complete their initial registration for Microsoft Entra multifactor authentication, users will be asked to\r\ncreate an app password at the end of the registration process.\r\nUsers can also create app passwords after registration. For more information and detailed steps for your users, see\r\nthe following resource:\r\nCreate app passwords from the Security info page\r\nFor more information on how to allow users to quickly register for Microsoft Entra multifactor\r\nauthentication, see Combined security information registration overview.\r\nFor more information about enabled and enforced user states for Microsoft Entra multifactor\r\nauthentication, see Enable per-user Microsoft Entra multifactor authentication to secure sign-in events\r\nSource: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords\r\nhttps://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords" ], "report_names": [ "howto-mfa-app-passwords" ], "threat_actors": [], "ts_created_at": 1775446557, "ts_updated_at": 1775791254, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/997e9745827ba8f43fcfed75625ecd64ad6bcc7c.pdf", "text": "https://archive.orkl.eu/997e9745827ba8f43fcfed75625ecd64ad6bcc7c.txt", "img": "https://archive.orkl.eu/997e9745827ba8f43fcfed75625ecd64ad6bcc7c.jpg" } }