Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Level 2 Contributor

APP Passwords - any way to restrict it to only those that need it?

We disable app passwords as we don't see a password that doesn't change as particular secure. Granted, it "should" be used only once and not written down anywhere....it will now be available to all users as a result of the changes we need to make in order to support MFA for certain applications and the new MS requirements. Is there any way to have app passwords only enabled for some accounts? (ie, these service accounts) Best of my knowledge, it is tenant-wide on or off.



You are correct, this setting is tenant wide. 

Unfortunately there is currently neither an option to restrict it per user (add your vote here) nor an option to identify all users that are using app passwords (feedback here).

However, it should be possible to get some info from AzureAD sign in reports - "MFA Auth Method" is a property that is reported and should contain info if app password has been used - by using filtering you could identify users, apps & devices. If I find some time I'll will try to test this

Kind regards,
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices