Some Microsoft 365 applications and services (such as Skype for Business) use app passwords as an authentication method when multi-factor authentication (MFA) is enabled. The problem is that after enabling MFA for the organization, some or even all users might not be able to create and use app passwords. This article shows what you can do if you find that app passwords aren’t working in your Microsoft 365 tenant.
What are app passwords?
App passwords are created for each MFA-enabled account to allow login to non-browser applications (in this case, you cannot use additional security verification methods, such as authenticator app). These passwords do not expire and you can use them in different programs at the same time. From a security perspective, however, it’s a good idea to use one password per app, especially since each user can create up to 40 app passwords. This way, if any of these passwords are compromised, you can delete them and keep using the remaining ones.
Microsoft security policies prevent creating app passwords in Microsoft 365
There are two most common reasons why a given user might not be able to create or use an app password. The first is that users do not have rights to it, the second – the specific user has not enabled MFA. See how to fix each of these issues below.
Allow users to create app passwords
- open that Microsoft 365 admin center and go to user > Active Users. press the Multi-Factor Authentication button while no users are selected. This will give you access to the MFA settings. You must have the Azure AD role “Authentication admin” (or a global admin) to access this resource.
- In which Service Settings tab, select the Allow users to create app passwords to log in to non-browser apps option and save the changes.
If this option was already enabled or users are still unable to create app passwords, try the following solution.
Enable MFA for a selected user
Users who don’t have MFA enabled can’t use app passwords. These users don’t need app passwords – they use their default user password whenever required to sign in to Microsoft 365 with non-browser applications. In order for these users to create and use app passwords, you must first enable MFA for them.
- In which MFA portal (where you allow users to create app passwords) you can check which users have MFA enabled. If a specific user can’t create app passwords, enable MFA for them. If authentication is already set Allowedrestart it by disabling and re-enabling it.
- Changes applied in the MFA portal may take a while to propagate. It may also require the affected user to sign out and sign in to their Microsoft 365 account. To make it faster, you can go to the Active Users section again and force the user to log out:
- If the user still can’t select the app password, try disabling and re-enabling MFA.