APP Passwords - any way to restrict it to only those that need it?
We disable app passwords as we don't see a password that doesn't change as particular secure. Granted, it "should" be used only once and not written down anywhere....it will now be available to all users as a result of the changes we need to make in order to support MFA for certain applications and the new MS requirements. Is there any way to have app passwords only enabled for some accounts? (ie, these service accounts) Best of my knowledge, it is tenant-wide on or off.
You are correct, this setting is tenant wide.
However, it should be possible to get some info from AzureAD sign in reports - "MFA Auth Method" is a property that is reported and should contain info if app password has been used - by using filtering you could identify users, apps & devices. If I find some time I'll will try to test this